Email Bug Allows Message Snooping, Credential Theft

A year-old proof-of-concept attack that allows an attacker to bypass TLS email protections to snoop on messages has been patched.

Researchers warn hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the Internet Message Access Protocol, commonly referred to as IMAP. The bug, first reported in August 2020 and patched Monday, is tied to the email server software Dovecot, used by over three-quarters of IMAP servers, according to Open Email Survey.

The vulnerability opens the door to what is called a meddle-in-the-middle (MITM) attack, according to a report by researchers Fabian Ising and Damian Poddebniak, with Münster University of Applied Sciences, based in Germany.

“The vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker,” according to research linked to from a bug bounty page and dated August 2020.

A patch for the vulnerability, rated by the vendor as -severity and by the third-party security firm Tenable as critical, is available for download in the form of Dovecot version v2.3.14.1.

Bypassing TLS and Certificates

The flaw centers around the implementation of the email instruction called START-TLS, a command issued between an email program and server that’s designed to secure the delivery of email messages, according to a technical description by Anubisnetworks.

“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers wrote.

A session fixation attack allows an adversary to hijack a client-server connection after the user logs in, according to an OWASP description.

“In order to conduct the attack, an attacker first creates a legit account on a Dovecot server. They now wait for and [intercept] an encrypted connection on port 465 from a victim’s email client,” researchers wrote. “As soon as the client connects, the attacker initiates a separate START-TLS connection to Dovecot and injects their own malicious prefix, e.g. a login command.”

Researchers say, due to the implementation flaw with START-TLS in Dovecot, the attacker can login to the session and forward the full TSL traffic from the targeted victim’s SMTP server as part of its own session.

“The attacker obtains the full credentials from its own inbox. At no point was TLS broken or certificates compromised,” the researchers wrote. The pair also outlined the bug in a proof-of-concept attack.

Patches Available

A fix for the vulnerability, tracked as CVE-2021-33515, is available for Dovecot running on Ubuntu, the Linux distribution based on Debian. Dovecot version v2.3.14.1 and later mitigates the issue.

Workaround fixes have been available for the flaw and are outlined by Ising and Poddebniak. One of them includes disabling START-TLS and configuring Dovecot to only accept “pure TLS connections” on port 993/465/995.

“Note that it is not sufficient to reconfigure a mail client to not use START-TLS. The attack must be mitigated on the server, as any TLS connection is equally affected,” the researchers wrote.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!

Suggested articles