1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2007-01: APOP considered insecure
6 Topics: APOP authentication insecure, fetchmail implementation lax
8 Author: Matthias Andree
11 Type: password theft when under MITM attack
12 Impact: password disclosure possible
14 Credits: Gaƫtan Leurent
15 CVE Name: CVE-2007-1558
16 URL: http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
17 Project URL: http://fetchmail.berlios.de/
19 Affects: fetchmail release < 6.3.8
21 Not affected: fetchmail release 6.3.8
23 Corrected: 2007-03-18 fetchmail SVN
29 2007-04-06 1.0 first release
30 2008-04-24 1.1 add --ssl to section 3. suggestion A below
36 fetchmail is a software package to retrieve mail from remote POP2, POP3,
37 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
38 message delivery agents.
40 fetchmail ships with a graphical, Python/Tkinter based configuration
41 utility named "fetchmailconf" to help the user create configuration (run
42 control) files for fetchmail.
45 2. Problem description and Impact
46 =================================
48 The POP3 standard, currently RFC-1939, has specified an optional,
49 MD5-based authentication scheme called "APOP".
51 APOP should no longer be considered secure.
53 Additionally, fetchmail's POP3 client implementation has been validating
54 the APOP challenge too lightly and accepted random garbage as a POP3
55 server's APOP challenge, rather than insisting that the APOP challenge
56 conformed to RFC-822, as required by RFC-1939.
58 This made it easier than necessary for man-in-the-middle attackers to
59 retrieve by several probing and guessing the first three characters of
60 the APOP secret, bringing brute forcing the remaining characters well
67 Either of these is currently considered sufficient.
69 A. Only use APOP on SSL or TLS secured connections with mandatory and thorough
70 certificate validation, such as fetchmail --sslproto tls1 --sslcertck
71 or --ssl --sslproto ssl3 --sslcertck), or equivalent in the run control file.
73 B. Avoid APOP and use stronger authenticators.
75 C. If you must continue to use APOP without SSL/TLS, then install
76 fetchmail 6.3.8 or newer, as it is less susceptible to the attack by
77 validating the APOP challenge more strictly to make the attack
78 harder. The fetchmail 6.3.8 source code is available from
79 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
82 A. Copyright, License and Warranty
83 ==================================
85 (C) Copyright 2007, 2008 by Matthias Andree, <matthias.andree@gmx.de>.
88 This work is licensed under the
89 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
91 To view a copy of this license, visit
92 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
98 MOUNTAIN VIEW, CALIFORNIA 94041
102 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
103 Use the information herein at your own risk.
105 END OF fetchmail-SA-2007-01.txt
107 -----BEGIN PGP SIGNATURE-----
108 Version: GnuPG v1.4.11 (GNU/Linux)
110 iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZVn6wCgkC9pMA9HxXG6lgbgoixd73Tn
111 Cz4AoKG+qB47vhGdXSTDDXDFgMDrMJ24
113 -----END PGP SIGNATURE-----