fetchmail-SA-2011-01.txt - fetchmail in fetchmail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode

Topics:		fetchmail denial of service in STARTTLS protocol phases

Author:		Matthias Andree
Version:	1.0
Announced:	2011-06-06
Type:		Unguarded blocking I/O can cause indefinite application hang
Impact:		Denial of service
Danger:		low
Acknowledgment:	Thomas Jarosch for sending detailed report

CVE Name:	CVE-2011-1947
CVSSv2:		(AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
CVSS scores:	4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
		This is calculated without Environmental Score.
URL:		http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL:	http://www.fetchmail.info/

Affects:	fetchmail releases 5.9.9 up to and including 6.3.19

Not affected:	fetchmail release 6.3.20 and newer

Corrected in:	2011-05-26 Git, among others, see commit
		7dc67b8cf06f74aa57525279940e180c99701314

		2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)

		2011-06-06 fetchmail 6.3.20 release tarball


0. Release history
==================

2011-05-30 0.1	first draft (visible in Git and through oss-security)
2011-06-06 1.0	release


1. Background
=============

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.


2. Problem description and Impact
=================================

Fetchmail version 5.9.9 introduced STLS support for POP3, version
6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive
mode, fetchmail hangs in excess of one week after sending STARTTLS were
observed if the connection failed without notifying the operating
system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after
acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
in this protocol state, and thus render fetchmail unable to complete the
poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so
can be used as a workaround.


3. Solution
===========

Install fetchmail 6.3.20 or newer.

The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.

Distributors are encouraged to review the NEWS file and move forward to
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued.  Several such
(long-standing) bugs were fixed through recent releases, and an erratum
notice for SASL authentication was issued.

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X.  Care was taken to not change the
interface incompatibly.


4. Workaround
=============

If supported by the server's configuration, fetchmail can be run in
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).

It is generally also advisable to enforce SSL certificate validation, by
either using --sslcertck on the command line, or using sslcertck in a
"default" configuration entry of the rcfile, or using sslcertck in
each of the relevant individual poll descriptions of the rcfile.


A. Copyright, License and Non-Warranty
======================================

(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).

To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:

Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA


THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END of fetchmail-SA-2011-01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZUICACg5GqwtyAFuOamJ3JtribzMe9U
k20AnRLlwx4HBC/Gk3AX1dWSrrQc8WYB
=GFzg
-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode
5
6	Topics: fetchmail denial of service in STARTTLS protocol phases
7
8	Author: Matthias Andree
9	Version: 1.0
10	Announced: 2011-06-06
11	Type: Unguarded blocking I/O can cause indefinite application hang
12	Impact: Denial of service
13	Danger: low
14	Acknowledgment: Thomas Jarosch for sending detailed report
15
16	CVE Name: CVE-2011-1947
17	CVSSv2: (AV:N/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:O/RC:C)
18	CVSS scores: 4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
19	This is calculated without Environmental Score.
20	URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
21	Project URL: http://www.fetchmail.info/
22
23	Affects: fetchmail releases 5.9.9 up to and including 6.3.19
24
25	Not affected: fetchmail release 6.3.20 and newer
26
27	Corrected in: 2011-05-26 Git, among others, see commit
28	7dc67b8cf06f74aa57525279940e180c99701314
29
30	2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)
31
32	2011-06-06 fetchmail 6.3.20 release tarball
33
34
35	0. Release history
36	==================
37
38	2011-05-30 0.1 first draft (visible in Git and through oss-security)
39	2011-06-06 1.0 release
40
41
42	1. Background
43	=============
44
45	fetchmail is a software package to retrieve mail from remote POP3, IMAP,
46	ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
47	message delivery agents. fetchmail supports SSL and TLS security layers
48	through the OpenSSL library, if enabled at compile time and if also
49	enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
50	well as in-band-negotiated "STARTTLS" and "STLS" modes through the
51	regular protocol ports.
52
53
54	2. Problem description and Impact
55	=================================
56
57	Fetchmail version 5.9.9 introduced STLS support for POP3, version
58	6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
59	in-band SSL/TLS negotiation was not guarded by a timeout.
60
61	Depending on the operating system defaults as to TCP stream keepalive
62	mode, fetchmail hangs in excess of one week after sending STARTTLS were
63	observed if the connection failed without notifying the operating
64	system, for instance, through network outages or hard server crashes.
65
66	A malicious server that does not respond, at the network level, after
67	acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
68	in this protocol state, and thus render fetchmail unable to complete the
69	poll, or proceed to the next server, effecting a denial of service.
70
71	SSL-wrapped mode on dedicated ports was unaffected by this problem, so
72	can be used as a workaround.
73
74
75	3. Solution
76	===========
77
78	Install fetchmail 6.3.20 or newer.
79
80	The fetchmail source code is always available from
81	<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
82
83	Distributors are encouraged to review the NEWS file and move forward to
84	6.3.20, rather than backport individual security fixes, because doing so
85	routinely misses other fixes crucial to fetchmail's proper operation,
86	for which no security announcements are issued. Several such
87	(long-standing) bugs were fixed through recent releases, and an erratum
88	notice for SASL authentication was issued.
89
90	Fetchmail 6.3.X releases have always been made with a focus on unchanged
91	user and program interfaces so as to avoid disruptions when upgrading
92	from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
93	interface incompatibly.
94
95
96	4. Workaround
97	=============
98
99	If supported by the server's configuration, fetchmail can be run in
100	ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
101	ssl3" option must be configured (possibly replacing sslproto tls1 where
102	configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
103	the command line (where it applies to all poll configurations).
104
105	It is generally also advisable to enforce SSL certificate validation, by
106	either using --sslcertck on the command line, or using sslcertck in a
107	"default" configuration entry of the rcfile, or using sslcertck in
108	each of the relevant individual poll descriptions of the rcfile.
109
110
111	A. Copyright, License and Non-Warranty
112	======================================
113
114	(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
115	Some rights reserved.
116
117	This work is licensed under the
118	Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
119
120	To view a copy of this license, visit
121	http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
122	or send a letter to:
123
124	Creative Commons
125	444 Castro Street
126	Suite 900
127	MOUNTAIN VIEW, CALIFORNIA 94041
128	USA
129
130
131	THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
132	Use the information herein at your own risk.
133
134	END of fetchmail-SA-2011-01
135	-----BEGIN PGP SIGNATURE-----
136	Version: GnuPG v1.4.11 (GNU/Linux)
137
138	iEYEARECAAYFAk9/Yg4ACgkQvmGDOQUufZUICACg5GqwtyAFuOamJ3JtribzMe9U
139	k20AnRLlwx4HBC/Gk3AX1dWSrrQc8WYB
140	=GFzg
141	-----END PGP SIGNATURE-----

Gitorious