On 20 Aug 2020, at 11:38, Benny Kjær Nielsen wrote:
Just a quick review: The paper does not state the version of MailMate
used for the tests and the public release of MailMate does not behave
as described in the paper. The paper describes three issues labelled
A1-A3.
Benny:
According to CVE-2020-12619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12619
--
Description
MailMate before 1.11 automatically imported S/MIME certificates and
thereby silently replaced existing ones. This allowed a
man-in-the-middle attacker to obtain an email-validated S/MIME
certificate from a trusted CA and replace the public key of the entity
to be impersonated. This enabled the attacker to decipher further
communication. The entire attack could be accomplished by sending a
single email.
--
Even though this is a different CVE than the ones mentioned in the ZDNET
article, maybe this is where they got the version of MailMate used in
the tests.
(How do they come up with this stuff? I mean, who the heck is even
using MailMate 1.10 or earlier anymore?)
- Greg
_______________________________________________
mailmate mailing list
[email protected]
https://lists.freron.com/listinfo/mailmate
