1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2006-02: TLS enforcement problem/MITM attack/password exposure
6 Topics: fetchmail cannot enforce TLS
8 Author: Matthias Andree
11 Type: secret information disclosure
12 Impact: fetchmail can expose cleartext password over unsecure link
13 fetchmail may not detect man in the middle attacks
15 Credits: Isaac Wilcox (bug report, testing, collaboration on fix)
16 CVE Name: CVE-2006-5867
17 URL: http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
18 Project URL: http://fetchmail.berlios.de/
20 Affects: fetchmail releases <= 6.3.5
21 fetchmail release candidates 6.3.6-rc1, -rc2, -rc3
23 Not affected: fetchmail release candidates 6.3.6-rc4, -rc5
24 fetchmail release 6.3.6
25 fetchmail release 6.3.7
27 Corrected: 2006-11-26 fetchmail 6.3.6-rc4
33 2006-11-16 v0.01 internal review draft
34 2006-11-26 v0.02 revise failure cases, workaround, add acknowledgments
35 2006-11-27 v0.03 add more vulnerabilities
36 2007-01-04 v1.0 ready for release
37 2007-02-18 v1.1 mention 6.3.7 that fixes two regressions
43 fetchmail is a software package to retrieve mail from remote POP2, POP3,
44 IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
45 message delivery agents.
47 fetchmail ships with a graphical, Python/Tkinter based configuration
48 utility named "fetchmailconf" to help the user create configuration (run
49 control) files for fetchmail.
52 2. Problem description and Impact
53 =================================
55 Fetchmail has had several nasty password disclosure vulnerabilities for
56 a long time. It was only recently that these have been found.
58 V1. sslcertck/sslfingerprint options should have implied "sslproto tls1"
59 in order to enforce TLS negotiation, but did not.
61 V2. Even with "sslproto tls1" in the config, fetches would go ahead
62 in plain text if STLS/STARTTLS wasn't available (not advertised,
63 or advertised but rejected).
65 V3. POP3 fetches could completely ignore all TLS options whether
66 available or not because it didn't reliably issue CAPA before
67 checking for STLS support - but CAPA is a requisite for STLS.
68 Whether or not CAPAbilities were probed, depended on the "auth"
69 option. (Fetchmail only tried CAPA if the auth option was not set at
70 all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.)
72 V4. POP3 could fall back to using plain text passwords, even if strong
73 authentication had been configured.
75 V5. POP2 would not complain if strong authentication or TLS had been
78 This can cause eavesdroppers to obtain the password, depending on the
79 authentication scheme that is configured or auto-selected, and
80 subsequently impersonate somebody else when logging into the upstream
87 If your upstream offers SSLv3-wrapped service on a dedicated port,
88 use fetchmail --ssl --sslcertck --sslproto ssl3 on the command line,
89 or equivalent in the run control file. This encrypts the whole session.
95 The earlier recommendation to install 6.3.6 is hereby updated, since
96 version 6.3.6 introduced two new regressions fixed in 6.3.7: one broke
97 KPOP altogether and one broke the automatic POP3 retries without TLS
98 if a server advertised TLS but then closed the connection and TLS
101 Download and install fetchmail 6.3.7 or a newer stable release from
102 fetchmail's project site at
103 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
109 Isaac Wilcox has been a great help with testing the fixes and getting
113 A. Copyright, License and Warranty
114 ==================================
116 (C) Copyright 2007 by Matthias Andree, <matthias.andree@gmx.de>.
117 Some rights reserved.
119 This work is licensed under the Creative Commons
120 Attribution-NonCommercial-NoDerivs German License. To view a copy of
121 this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
122 or send a letter to Creative Commons; 559 Nathan Abbott Way;
123 Stanford, California 94305; USA.
125 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
126 Use the information herein at your own risk.
128 END OF fetchmail-SA-2006-02.txt
129 -----BEGIN PGP SIGNATURE-----
130 Version: GnuPG v1.4.5 (GNU/Linux)
132 iD8DBQFIV7WXvmGDOQUufZURAr4xAKDSgBfyRuCoznZM6vuyA3aDHr/o5QCgvuDX
133 OKcBNAf2aVZjS9X0+w/fEc8=
135 -----END PGP SIGNATURE-----