GitLab

We found a STARTTLS issue in Evolution, which affects SMTP and POP3.

When the server responds with its "let's do TLS now message", e.g. +OK begin TLS\r\n, Evolution will read any data after the \r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I suspect that this is enough to forge an entire new POP3 mailbox.

There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."

Example trace to give an intuition:

C: stls
S: +OK begin TLS
   +OK ack future user command // injected response
   +OK ack future pass command // injected response
<--- TLS --->
C: user alice
// here, Evolution interprets the first injected "+OK" response and proceeds...
C: pass password
// here, Evolution interprets the second injected "+OK" response and proceeds... 
...

An attacker can inject many more responses and (in the worst case) mimic a whole session.

I can also provide a pre-compiled test server to test for the SMTP and POP3 issues.

There are (from my view) three possible fixes: 1) discard any remaining data after stls, 2) shovel the extra data into the TLS layer (where it belongs), and 3) error out as this is clearly a protocol violation.