commit 639c84ea28004ea7e28e9a1e1a4f03a9575c84c9
Author: Oswald Buddenhagen <o...@users.sf.net>
Date: Sat Jul 5 22:52:40 2014 +0200
don't ignore RequireSSL for PREAUTHenticated connections
such connections don't support STARTTLS. that is reasonable, as whatever
makes the connection preauthenticated (typically a Tunnel used to launch
imapd via a shell login) must already rely on the connection's security.
consequently, we would not try to use STARTTLS with such connections.
unfortunately, we'd also skip the RequireSSL check as a side effect.
this means that a rogue server (via a MITM attack) could simply offer a
preauthenticated connection to make us not use SSL, and thus bypass
server authentication. as a result, we could send potentially sensitive
data to the attacker:
- with Patterns used, we would send a LIST command which reveals the
remote Path setting. this isn't very useful to an attacker. also, IMAP
Accounts usually rely on the server-provided NAMESPACE to start with.
- with Create enabled for the remote Store, we would upload messages
from newly appeared local folders. this isn't a very likely situation,
unless the attacker manages to convince the victim to move/copy
interesting mails to a new folder right before the attack.
- with Expunge enabled for the local Store, previously synchronized
folders would be wiped. however, this would require the attacker to
know the correct UIDVALIDITY of each remote folder, which would
require incredible luck or convincing the victim to disclose them.
the first mismatch would likely tip off the victim.
in practice, someone with the level of technical and social engineering
skills required for this attack would very likely find more attractive
attack vectors. therefore, i don't consider this a particularly serious
issue.
configurations with UseIMAPS enabled or using a secure Tunnel were not
affected to start with.
a side effect of this fix is that most users of Tunnel will now need to
explicitly set RequireSSL to false.
an alternative approach would be defaulting all SSL-related settings to
off when Tunnel is used. this would be too invasive for a patch release,
but i'll consider it for 1.2.
see also CVE-2014-2567 for the Trojita MUA.
src/drv_imap.c | 15 ++++++++++++---
src/mbsync.1 | 5 +++++
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/drv_imap.c b/src/drv_imap.c
index b1f9de6..ebd8bf0 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -1571,11 +1571,13 @@ imap_open_store_p2( imap_store_t *ctx, struct imap_cmd
*cmd ATTR_UNUSED, int res
static void
imap_open_store_authenticate( imap_store_t *ctx )
{
- if (ctx->greeting != GreetingPreauth) {
#ifdef HAVE_LIBSSL
- imap_store_conf_t *cfg = (imap_store_conf_t *)ctx->gen.conf;
- imap_server_conf_t *srvc = cfg->server;
+ imap_store_conf_t *cfg = (imap_store_conf_t *)ctx->gen.conf;
+ imap_server_conf_t *srvc = cfg->server;
+#endif
+ if (ctx->greeting != GreetingPreauth) {
+#ifdef HAVE_LIBSSL
if (!srvc->sconf.use_imaps &&
(srvc->sconf.use_sslv2 || srvc->sconf.use_sslv3 ||
srvc->sconf.use_tlsv1)) {
/* always try to select SSL support if available */
@@ -1595,6 +1597,13 @@ imap_open_store_authenticate( imap_store_t *ctx )
#endif
imap_open_store_authenticate2( ctx );
} else {
+#ifdef HAVE_LIBSSL
+ if (!srvc->sconf.use_imaps && srvc->require_ssl) {
+ error( "IMAP error: SSL support not available\n" );
+ imap_open_store_bail( ctx );
+ return;
+ }
+#endif
imap_open_store_namespace( ctx );
}
}
diff --git a/src/mbsync.1 b/src/mbsync.1
index a2335d9..d932a36 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -267,6 +267,11 @@ Specify a command to run to establish a connection rather
than opening a TCP
socket. This allows you to run an IMAP session over an SSH tunnel, for
example.
\fBHost\fR and \fBPort\fR are ignored when \fBTunnel\fR is set.
+.br
+If \fBUseIMAPS\fR is disabled and the tunnel opens a preauthenticated
+connection, \fBRequireSSL\fR also needs to be disabled.
+If the connection is not preauthenticated, but the tunnel is secure,
+disabling \fBRequireSSL\fR and \fBUseTLSv1\fR is recommended.
..
.TP
\fBRequireCRAM\fR \fIyes\fR|\fIno\fR
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
