Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • E evolution-data-server
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 46
    • Issues 46
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOME
  • evolution-data-server
  • Issues
  • #226

Closed
Open
Created Jun 17, 2020 by Damian Poddebniak@duesee1

CVE-2020-14928: Response Injection via STARTTLS in SMTP and POP3

We found a STARTTLS issue in Evolution, which affects SMTP and POP3.

When the server responds with its "let's do TLS now message", e.g. +OK begin TLS\r\n, Evolution will read any data after the \r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I suspect that this is enough to forge an entire new POP3 mailbox.

There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."

Example trace to give an intuition:

C: stls
S: +OK begin TLS
   +OK ack future user command // injected response
   +OK ack future pass command // injected response
<--- TLS --->
C: user alice
// here, Evolution interprets the first injected "+OK" response and proceeds...
C: pass password
// here, Evolution interprets the second injected "+OK" response and proceeds... 
...

An attacker can inject many more responses and (in the worst case) mimic a whole session.

I can also provide a pre-compiled test server to test for the SMTP and POP3 issues.

There are (from my view) three possible fixes: 1) discard any remaining data after stls, 2) shovel the extra data into the TLS layer (where it belongs), and 3) error out as this is clearly a protocol violation.

Edited Jun 22, 2020 by Milan Crha
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking