* Make the APOP challenge parser more distrustful and have it reject challenges
that do not conform to RFC-822 msg-id format, in the hope to make mounting
man-in-the-middle attacks (MITM) against APOP a bit more difficult.
- (CVE-2007-1558)
+ (CVE-2007-1558, reported by Gaëtan Leurent, published 2007-04-02 on Bugtraq)
APOP is claimed insecure by Gaëtan Leurent for MITM scenarios for typical
setups: based on MD5 collisions, it is purportedly possible to recover the
excellent detail by Reto Schüttel, Debian Bug#416812.
# DOCUMENTATION:
+* Add fetchmail-SA-2007-01.txt
* Extend --mda documentation, discourage use of qmail-inject.
Based on a patch by Rob MacGregor.
* Document SOCKS configuration facility (SOCKS_CONF environment variable).
--- /dev/null
+fetchmail-SA-2007-01: APOP considered insecure
+
+Topics: The POP3/APOP authentication, by itself, is considered broken.
+
+Author: Matthias Andree
+Version: 1.0
+Announced: 2007-04-06
+Type: password theft when under MITM attack
+Impact: password disclosure possible
+Danger: low
+Credits: Gaëtan Leurent
+CVE Name: CVE-2007-1558
+URL: http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
+Project URL: http://fetchmail.berlios.de/
+
+Affects: fetchmail release < 6.3.8
+
+Not affected: fetchmail release 6.3.8
+
+Corrected: 2007-03-18 fetchmail SVN
+
+
+0. Release history
+==================
+
+2007-04-06 1.0 first release
+
+
+1. Background
+=============
+
+fetchmail is a software package to retrieve mail from remote POP2, POP3,
+IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
+message delivery agents.
+
+fetchmail ships with a graphical, Python/Tkinter based configuration
+utility named "fetchmailconf" to help the user create configuration (run
+control) files for fetchmail.
+
+
+2. Problem description and Impact
+=================================
+
+The POP3 standard, currently RFC-1939, has specified an optional,
+MD5-based authentication scheme called "APOP".
+
+Fetchmail's POP3 client implementation however has happily accepted
+random garbage as a POP3 server's APOP challenge, rather than insisting
+that the APOP challenge conformed to RFC-822, as required by RFC-1939.
+This made it easier than necessary for man-in-the-middle attackers to
+retrieve by several probing and guessing the first three characters of
+the APOP secret, bringing brute forcing the remaining characters well
+within reach.
+
+
+3. Solution
+===========
+
+Either of these is currently considered sufficient.
+
+A. Only use APOP on SSL or TLS secured connections with mandatory and thorough
+ certificate validation, such as fetchmail --sslproto tls1 --sslcertck
+ or --sslproto ssl3 --sslcertck), or equivalent in the run control file.
+
+B. Avoid APOP and use stronger authenticators.
+
+C. If you must continue to use APOP without SSL/TLS, then install
+ fetchmail 6.3.8 or newer, as it is less susceptible to the attack by
+ validating the APOP challenge more strictly to make the attack
+ harder. The fetchmail 6.3.8 source code is available from
+ <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
+
+
+A. Copyright, License and Warranty
+==================================
+
+(C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
+Some rights reserved.
+
+This work is licensed under the Creative Commons
+Attribution-NonCommercial-NoDerivs German License. To view a copy of
+this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
+or send a letter to Creative Commons; 559 Nathan Abbott Way;
+Stanford, California 94305; USA.
+
+THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
+Use the information herein at your own risk.
+
+END OF fetchmail-SA-2007-01.txt
projects / ~andy / fetchmail / commitdiff