fetchmail-SA-2011-01.txt 4.7 KB
Newer Older
1 2 3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

4 5
fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode

Matthias Andree's avatar
Matthias Andree committed
6
Topics:		fetchmail denial of service in STARTTLS protocol phases
7 8

Author:		Matthias Andree
Matthias Andree's avatar
Matthias Andree committed
9 10
Version:	1.0
Announced:	2011-06-06
11 12 13
Type:		Unguarded blocking I/O can cause indefinite application hang
Impact:		Denial of service
Danger:		low
Matthias Andree's avatar
Matthias Andree committed
14
Acknowledgment:	Thomas Jarosch for sending detailed report
15

Matthias Andree's avatar
Matthias Andree committed
16
CVE Name:	CVE-2011-1947
Matthias Andree's avatar
Matthias Andree committed
17 18
CVSSv2:		(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
CVSS scores:	4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
19 20 21 22 23 24 25 26 27 28 29 30 31
		This is calculated without Environmental Score.
URL:		http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail releases 5.9.9 up to and including 6.3.19

Not affected:	fetchmail release 6.3.20 and newer

Corrected in:	2011-05-26 Git, among others, see commit
		7dc67b8cf06f74aa57525279940e180c99701314

		2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)

Matthias Andree's avatar
Matthias Andree committed
32
		2011-06-06 fetchmail 6.3.20 release tarball
33 34 35 36 37 38


0. Release history
==================

2011-05-30 0.1	first draft (visible in Git and through oss-security)
Matthias Andree's avatar
Matthias Andree committed
39
2011-06-06 1.0	release
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail version 5.9.9 introduced STLS support for POP3, version
6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive
mode, fetchmail hangs in excess of one week after sending STARTTLS were
observed if the connection failed without notifying the operating
system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after
acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
in this protocol state, and thus render fetchmail unable to complete the
poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so
can be used as a workaround.


3. Solution
===========

Matthias Andree's avatar
Matthias Andree committed
78
Install fetchmail 6.3.20 or newer.
79 80

The fetchmail source code is always available from
81
<http://sourceforge.net/projects/fetchmail/files/>.
82 83 84 85 86

Distributors are encouraged to review the NEWS file and move forward to
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued.  Several such
Matthias Andree's avatar
Matthias Andree committed
87 88
(long-standing) bugs were fixed through recent releases, and an erratum
notice for SASL authentication was issued.
89 90 91 92 93 94 95 96 97 98

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
interface incompatibly.


4. Workaround
=============

Matthias Andree's avatar
Matthias Andree committed
99
If supported by the server's configuration, fetchmail can be run in
100 101 102 103 104
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).

Matthias Andree's avatar
Matthias Andree committed
105 106 107 108
It is generally also advisable to enforce SSL certificate validation, by
either using --sslcertck on the command line, or using sslcertck in a
"default" configuration entry of the rcfile, or using sslcertck in
each of the relevant individual poll descriptions of the rcfile.
109 110 111 112 113 114 115 116


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2011 by Matthias Andree, <[email protected]>.
Some rights reserved.

117 118 119
This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

120
To view a copy of this license, visit
121 122
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:
123 124

Creative Commons
125 126 127
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
128 129 130 131 132 133 134
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2011-01
135
-----BEGIN PGP SIGNATURE-----
136
Version: GnuPG v1.4.11 (GNU/Linux)
137

138 139 140
iEYEARECAAYFAlN9DK4ACgkQvmGDOQUufZWivQCgs1S3ZZHCnBN4bZHuiTwIIzmo
hzYAoOr6wu0pYwyLhoBrfkHqFotE4mp2
=XWx6
141
-----END PGP SIGNATURE-----