fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode

Topics:		Denial of service in STARTTLS protocol phases

Author:		Matthias Andree
Version:	XXX
Announced:	XXX
Type:		Unguarded blocking I/O can cause indefinite application hang
Impact:		Denial of service
Danger:		low

CVE Name:	
CVSSv2:		
CVSS scores:	
		This is calculated without Environmental Score.
URL:		http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail releases 5.9.9 up to and including 6.3.19

Not affected:	fetchmail release 6.3.20 and newer

Corrected in:	2011-05-26 Git, among others, see commit
		7dc67b8cf06f74aa57525279940e180c99701314

		2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)

		pending    fetchmail 6.3.20 release tarball


0. Release history
==================

2011-05-30 0.1	first draft (visible in Git and through oss-security)


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail version 5.9.9 introduced STLS support for POP3, version
6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive
mode, fetchmail hangs in excess of one week after sending STARTTLS were
observed if the connection failed without notifying the operating
system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after
acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
in this protocol state, and thus render fetchmail unable to complete the
poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so
can be used as a workaround.


3. Solution
===========

Install fetchmail 6.3.20 or newer after it will have become available.
(Note that the announcements may be publicly visible quite some time
before the release is made, particularly for minor bugs.)

The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.

Distributors are encouraged to review the NEWS file and move forward to
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued.  Several such
(long-standing) bugs were fixed through recent releases.

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
interface incompatibly.

There will be NO SUPPORT FOR BACKPORTING bug fixes to older releases!


4. Workaround
=============

A. If supported by the server's configuration, fetchmail can be run in
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).
   It is generally advisable to use --sslcertck to enable SSL
certificate validation.

B. If the operating system supports setting all TCP sockets to keepalive
mode by default, and possibly lowering the delay until keepalive probes
start, enabling this configuration can protect against hangs through
silently broken connections, but not against a malicious server.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to

Creative Commons
171 Second Street
Suite 300
SAN FRANCISCO, CALIFORNIA 94105
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2011-01