From 67e83dd1930726f316e19aef8f45efc9dc4feda3 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 6 Apr 2007 18:10:51 +0000 Subject: Add fetchmail-SA-2007-01.txt. Add publication date of Gaetan Leurent's CVE-2007-1558. svn path=/branches/BRANCH_6-3/; revision=5085 --- Makefile.am | 1 + NEWS | 3 +- fetchmail-SA-2007-01.txt | 89 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 fetchmail-SA-2007-01.txt diff --git a/Makefile.am b/Makefile.am index 3757544d..423450da 100644 --- a/Makefile.am +++ b/Makefile.am @@ -129,6 +129,7 @@ DISTDOCS= FAQ FEATURES NOTES OLDNEWS fetchmail-man.html \ fetchmail-features.html README.SSL README.NTLM \ README.packaging \ fetchmail-FAQ.book fetchmail-FAQ.pdf fetchmail-FAQ.html \ + fetchmail-SA-2007-01.txt \ fetchmail-SA-2006-03.txt \ fetchmail-SA-2006-02.txt \ fetchmail-SA-2006-01.txt \ diff --git a/NEWS b/NEWS index 11663219..82e6992f 100644 --- a/NEWS +++ b/NEWS @@ -48,7 +48,7 @@ fetchmail 6.3.8 (not yet released): * Make the APOP challenge parser more distrustful and have it reject challenges that do not conform to RFC-822 msg-id format, in the hope to make mounting man-in-the-middle attacks (MITM) against APOP a bit more difficult. - (CVE-2007-1558) + (CVE-2007-1558, reported by Gaëtan Leurent, published 2007-04-02 on Bugtraq) APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical setups: based on MD5 collisions, it is purportedly possible to recover the @@ -82,6 +82,7 @@ fetchmail 6.3.8 (not yet released): excellent detail by Reto Schüttel, Debian Bug#416812. # DOCUMENTATION: +* Add fetchmail-SA-2007-01.txt * Extend --mda documentation, discourage use of qmail-inject. Based on a patch by Rob MacGregor. * Document SOCKS configuration facility (SOCKS_CONF environment variable). diff --git a/fetchmail-SA-2007-01.txt b/fetchmail-SA-2007-01.txt new file mode 100644 index 00000000..7c224f93 --- /dev/null +++ b/fetchmail-SA-2007-01.txt @@ -0,0 +1,89 @@ +fetchmail-SA-2007-01: APOP considered insecure + +Topics: The POP3/APOP authentication, by itself, is considered broken. + +Author: Matthias Andree +Version: 1.0 +Announced: 2007-04-06 +Type: password theft when under MITM attack +Impact: password disclosure possible +Danger: low +Credits: Gaëtan Leurent +CVE Name: CVE-2007-1558 +URL: http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt +Project URL: http://fetchmail.berlios.de/ + +Affects: fetchmail release < 6.3.8 + +Not affected: fetchmail release 6.3.8 + +Corrected: 2007-03-18 fetchmail SVN + + +0. Release history +================== + +2007-04-06 1.0 first release + + +1. Background +============= + +fetchmail is a software package to retrieve mail from remote POP2, POP3, +IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or +message delivery agents. + +fetchmail ships with a graphical, Python/Tkinter based configuration +utility named "fetchmailconf" to help the user create configuration (run +control) files for fetchmail. + + +2. Problem description and Impact +================================= + +The POP3 standard, currently RFC-1939, has specified an optional, +MD5-based authentication scheme called "APOP". + +Fetchmail's POP3 client implementation however has happily accepted +random garbage as a POP3 server's APOP challenge, rather than insisting +that the APOP challenge conformed to RFC-822, as required by RFC-1939. +This made it easier than necessary for man-in-the-middle attackers to +retrieve by several probing and guessing the first three characters of +the APOP secret, bringing brute forcing the remaining characters well +within reach. + + +3. Solution +=========== + +Either of these is currently considered sufficient. + +A. Only use APOP on SSL or TLS secured connections with mandatory and thorough + certificate validation, such as fetchmail --sslproto tls1 --sslcertck + or --sslproto ssl3 --sslcertck), or equivalent in the run control file. + +B. Avoid APOP and use stronger authenticators. + +C. If you must continue to use APOP without SSL/TLS, then install + fetchmail 6.3.8 or newer, as it is less susceptible to the attack by + validating the APOP challenge more strictly to make the attack + harder. The fetchmail 6.3.8 source code is available from + . + + +A. Copyright, License and Warranty +================================== + +(C) Copyright 2007 by Matthias Andree, . +Some rights reserved. + +This work is licensed under the Creative Commons +Attribution-NonCommercial-NoDerivs German License. To view a copy of +this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/ +or send a letter to Creative Commons; 559 Nathan Abbott Way; +Stanford, California 94305; USA. + +THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. +Use the information herein at your own risk. + +END OF fetchmail-SA-2007-01.txt -- cgit v1.2.3