1 fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode
3 Topics: Denial of service in STARTTLS protocol phases
5 Author: Matthias Andree
8 Type: Unguarded blocking I/O can cause indefinite application hang
9 Impact: Denial of service
11 Acknowledgment: Thomas Jarosch for sending detailed report
13 CVE Name: CVE-2011-1947
16 This is calculated without Environmental Score.
17 URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
18 Project URL: http://www.fetchmail.info/
20 Affects: fetchmail releases 5.9.9 up to and including 6.3.19
22 Not affected: fetchmail release 6.3.20 and newer
24 Corrected in: 2011-05-26 Git, among others, see commit
25 7dc67b8cf06f74aa57525279940e180c99701314
27 2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)
29 pending fetchmail 6.3.20 release tarball
35 2011-05-30 0.1 first draft (visible in Git and through oss-security)
41 fetchmail is a software package to retrieve mail from remote POP3, IMAP,
42 ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
43 message delivery agents. fetchmail supports SSL and TLS security layers
44 through the OpenSSL library, if enabled at compile time and if also
45 enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
46 well as in-band-negotiated "STARTTLS" and "STLS" modes through the
47 regular protocol ports.
50 2. Problem description and Impact
51 =================================
53 Fetchmail version 5.9.9 introduced STLS support for POP3, version
54 6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
55 in-band SSL/TLS negotiation was not guarded by a timeout.
57 Depending on the operating system defaults as to TCP stream keepalive
58 mode, fetchmail hangs in excess of one week after sending STARTTLS were
59 observed if the connection failed without notifying the operating
60 system, for instance, through network outages or hard server crashes.
62 A malicious server that does not respond, at the network level, after
63 acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
64 in this protocol state, and thus render fetchmail unable to complete the
65 poll, or proceed to the next server, effecting a denial of service.
67 SSL-wrapped mode on dedicated ports was unaffected by this problem, so
68 can be used as a workaround.
74 Install fetchmail 6.3.20 or newer after it will have become available.
75 (Note that the announcements may be publicly visible quite some time
76 before the release is made, particularly for minor bugs.)
78 The fetchmail source code is always available from
79 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
81 Distributors are encouraged to review the NEWS file and move forward to
82 6.3.20, rather than backport individual security fixes, because doing so
83 routinely misses other fixes crucial to fetchmail's proper operation,
84 for which no security announcements are issued. Several such
85 (long-standing) bugs were fixed through recent releases.
87 Fetchmail 6.3.X releases have always been made with a focus on unchanged
88 user and program interfaces so as to avoid disruptions when upgrading
89 from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
90 interface incompatibly.
92 There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases!
98 A. If supported by the server's configuration, fetchmail can be run in
99 ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
100 ssl3" option must be configured (possibly replacing sslproto tls1 where
101 configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
102 the command line (where it applies to all poll configurations).
103 It is generally advisable to use --sslcertck to enable SSL
104 certificate validation.
106 B. If the operating system supports setting all TCP sockets to keepalive
107 mode by default, and possibly lowering the delay until keepalive probes
108 start, enabling this configuration can protect against hangs through
109 silently broken connections, but not against a malicious server.
112 A. Copyright, License and Non-Warranty
113 ======================================
115 (C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
116 Some rights reserved.
118 This work is licensed under the Creative Commons
119 Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
120 To view a copy of this license, visit
121 http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to
126 SAN FRANCISCO, CALIFORNIA 94105
130 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
131 Use the information herein at your own risk.
133 END of fetchmail-SA-2011-01