CVE-2020-14928: Response Injection via STARTTLS in SMTP and POP3
We found a STARTTLS issue in Evolution, which affects SMTP and POP3.
When the server responds with its "let's do TLS now message", e.g.
+OK begin TLS\r\n, Evolution will read any data after the
\r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I suspect that this is enough to forge an entire new POP3 mailbox.
There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."
Example trace to give an intuition:
C: stls S: +OK begin TLS +OK ack future user command // injected response +OK ack future pass command // injected response <--- TLS ---> C: user alice // here, Evolution interprets the first injected "+OK" response and proceeds... C: pass password // here, Evolution interprets the second injected "+OK" response and proceeds... ...
An attacker can inject many more responses and (in the worst case) mimic a whole session.
I can also provide a pre-compiled test server to test for the SMTP and POP3 issues.
There are (from my view) three possible fixes: 1) discard any remaining data after stls, 2) shovel the extra data into the TLS layer (where it belongs), and 3) error out as this is clearly a protocol violation.