1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
fetchmail-SA-2021-02: STARTTLS session encryption bypassing
Topics: fetchmail fails to enforce an encrypted connection
Author: Matthias Andree
Version: 1.0
Announced: 2021-08-26 (0.9), 2021-09-13 (1.0)
Type: failure to enforce configured security policy
Impact: fetchmail continues an unencrypted connection,
thus reading unauthenticated input and sending
information unencrypted over its transport
Danger: medium
Acknowledgment: Andrew C. Aitchison for reporting this against fetchmail
Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian
Schinzel for their Usenix Security 21 paper NO STARTTLS
CVE Name: CVE-2021-39272
URL: https://www.fetchmail.info/fetchmail-SA-2021-02.txt
Project URL: https://www.fetchmail.info/
Affects: - fetchmail releases up to and including 6.4.21
Not affected: - fetchmail releases 6.4.22 and newer
Corrected in: 2021-09-13 fetchmail 6.4.22 release tarball
0. History of this announcement
===============================
2021-08-10 Andrew C. Aitchison contacts fetchmail maintainer with pointer
to Usenix Security 21 paper by Damian Poddebniak et al.
2021-08-16 a simplified recommendation to configure --ssl where possible
(see section 3b. below) to mitigate impact was sent to the
fetchmail mailing lists
2021-08-26 0.9 initial release along with fetchmail 6.4.22.rc1
2021-08-27 0.9.1 update references to 6.4.22.rc2.
2021-08-29 0.9.2 update references to 6.4.22.rc3 and correct 0.9.1 date.
2021-09-13 1.0 remove reference to rc3 from "corrected in" and bump v. to 1.0.
1. Background
=============
fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.
2. Problem description and Impact
=================================
fetchmail permits requiring that an IMAP or POP3 protocol exchange uses
a TLS-encrypted transport, in 6.4 by way of an --sslproto auto or similar
configuration.
This TLS encryption can be established either as Implicit TLS connection,
which negotiates TLS first, or as a STARTTLS which starts as cleartext
protocol exchange that gets upgraded in the same TCP stream to TLS.
Without special configuration, fetchmail would opportunistically try to
upgrade cleartext connections to TLS by STARTTLS, but allow cleartext protocol
exchange, which is documented.
IMAP also supports sessions that start in "authenticated state" (PREAUTH).
In this latter case, IMAP (RFC-3501) does not permit sending STARTTLS
negotiations, which are only permissible in not-authenticated state.
In such a combination of circumstances (1. IMAP protocol in use, 2. the
server greets with PREAUTH, announcing authenticated state, 3. the user
configured TLS mandatory, 4. the user did not configure "ssl" mode that uses
separate ports for Implicit SSL/TLS), fetchmail 6.4.21 and older would
not encrypt the session.
There was a similar situation for POP3: if the remote name contained
@compuserve.com, and if the server supported a non-standard "AUTH" command
without mechanism argument and if it responded with a list that contained "RPA"
(also in mixed or lower case), then fetchmail would not attempt STARTTLS.
While the password itself is then protected by the RPA scheme (which employs
MD5 however), fetchmail 6.4.21 and older would not encrypt the session.
Also, a configuration containing --auth ssh (meaning that fetchmail should not
authenticate, on the assumption that the session will be pre-authenticated for
instance through SSH running a mail server with --plugin, or TLS client
certificates), would also defeat STARTTLS as result of an implementation defect.
This affected both POP3 and IMAP.
3. Solutions
============
PREFACE: distributors backporting fixes to old versions are asked to diff the
manual page and review the changes, and the NEWS file, because the manual page
has been updated with newer recommendations. The same backport recommendations
hold for the README.SSL file.
3a. Install fetchmail 6.4.22 or newer.
The fetchmail source code is available from
<https://sourceforge.net/projects/fetchmail/files/>.
The Git-based source code repository is currently published via
https://gitlab.com/fetchmail/fetchmail/-/tree/legacy_64 (primary)
https://sourceforge.net/p/fetchmail/git/ci/legacy_64/tree/ (copy)
3b. Where the IMAP or POP3 server supports this form of access,
fetchmail can be configured to use Implicit TLS, called "ssl" mode, meaning it
will connect to a dedicated port (default: 993 for IMAP, 995 for POP3) and
negotiate TLS without prior clear-text protocol exchange.
Also, --ssl can be given on the command line, which switches all
configured server statements to this Implicit TLS mode.
A. Copyright, License and Non-Warranty
======================================
(C) Copyright 2021 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
© Copyright 2021 by Matthias Andree. This file is licensed under CC
BY-ND 4.0. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/4.0/
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END of fetchmail-SA-2021-02
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3EplW9mTzUhx+oIQ5BKxVu/zhVoFAmE/ue8ACgkQ5BKxVu/z
hVqhNg//eqyQpbFMUt29merXUWlMYuZJOjbtbXOFiUWxKvul2Id+/7ldUWeZyDKB
eNDgNAY44cq9thY5hf+gf3C5D1jBPbxc3ChirNuykIAs+Z6Me8LbgSF/ax+aZ9wk
IecIWIkSlmdTNkEdA+vGRM8u5POBJGBNdMwTgrMd3Zj4LSZkYGYRy57g5tefrng3
3edHFaevZGyFo8qeNldKttycxEzSMF0n2yFtb4xNZThj8nw69/YlmV2ixTgrADq+
/hMjUiAzgI0dNXApPLO+mmvnnCVxvB4jYWCYDoL+IC36PDs8/0vn2m/RBhONqvoH
r6i7ToaEOtbIDKwhL3ZrCvDWLMUGgXqkufPl0rsY/ibSepzl9qb6mpHXGzvLiM5x
PCylIJrHZKk0zD2QWkAl6mWYmiVnJLxlMSgjBtZwlabetBqyLvkzeCMTkpETRPmF
cOL1x844s0q+z6MSNbAPQBkBZKRQ6A2SpVFMLWQ54shPOyTkyg33QWdeYuPwq2qx
rHGeOELyXpftIQ8uqzsYnHQNsF+ZCV0PjqI1hyexGGkk3Z+tUH0DHqWwBvk2LHU9
lAnLwPwQTtEY89jTkYj3aCGST0ip1P2Ad575gHJAAb4bQQozYx8mGViHQwFeg724
EBxUL8sFTXthstHIKeVi53xkqa/FcKlR+Y3062LY4lAkDUUhK2I=
=pqxb
-----END PGP SIGNATURE-----
|
