fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode Topics: fetchmail denial of service in STARTTLS protocol phases Author: Matthias Andree Version: 1.0 Announced: 2011-06-06 Type: Unguarded blocking I/O can cause indefinite application hang Impact: Denial of service Danger: low CVE Name: CVE-2011-1947 CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C) CVSS scores: 4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7 This is calculated without Environmental Score. URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt Project URL: http://www.fetchmail.info/ Affects: fetchmail releases 5.9.9 up to and including 6.3.19 Not affected: fetchmail release 6.3.20 and newer Corrected in: 2011-05-26 Git, among others, see commit 7dc67b8cf06f74aa57525279940e180c99701314 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing) 2011-06-06 fetchmail 6.3.20 release tarball 0. Release history ================== 2011-05-30 0.1 first draft (visible in Git and through oss-security) 2011-06-06 1.0 release 1. Background ============= fetchmail is a software package to retrieve mail from remote POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents. fetchmail supports SSL and TLS security layers through the OpenSSL library, if enabled at compile time and if also enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as well as in-band-negotiated "STARTTLS" and "STLS" modes through the regular protocol ports. 2. Problem description and Impact ================================= Fetchmail version 5.9.9 introduced STLS support for POP3, version 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated in-band SSL/TLS negotiation was not guarded by a timeout. Depending on the operating system defaults as to TCP stream keepalive mode, fetchmail hangs in excess of one week after sending STARTTLS were observed if the connection failed without notifying the operating system, for instance, through network outages or hard server crashes. A malicious server that does not respond, at the network level, after acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail in this protocol state, and thus render fetchmail unable to complete the poll, or proceed to the next server, effecting a denial of service. SSL-wrapped mode on dedicated ports was unaffected by this problem, so can be used as a workaround. 3. Solution =========== Install fetchmail 6.3.20 or newer. The fetchmail source code is always available from . Distributors are encouraged to review the NEWS file and move forward to 6.3.20, rather than backport individual security fixes, because doing so routinely misses other fixes crucial to fetchmail's proper operation, for which no security announcements are issued. Several such (long-standing) bugs were fixed through recent releases, and an erratum notice for SASL authentication was issued. Fetchmail 6.3.X releases have always been made with a focus on unchanged user and program interfaces so as to avoid disruptions when upgrading from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the interface incompatibly. 4. Workaround ============= If supported by the server's configuration, fetchmail can be run in ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto ssl3" option must be configured (possibly replacing sslproto tls1 where configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on the command line (where it applies to all poll configurations). It is generally also advisable to enforce SSL certificate validation, by either using --sslcertck on the command line, or using sslcertck in a "default" configuration entry of the rcfile, or using sslcertck in each of the relevant individual poll descriptions of the rcfile. A. Copyright, License and Non-Warranty ====================================== (C) Copyright 2011 by Matthias Andree, . Some rights reserved. This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Germany License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to Creative Commons 171 Second Street Suite 300 SAN FRANCISCO, CALIFORNIA 94105 USA THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES. Use the information herein at your own risk. END of fetchmail-SA-2011-01