On Wed, Aug 11, 2021 at 05:42:40PM +0200, Hanno Böck wrote:
> We started analyzing STARTTLS implementations in E-Mail servers and
> clients based on the 2011 command injection discovered in Postfix.
Specifically discovered by Wietse Venema, while refactoring some Postfix
code. He observed that the issue was likely not Postfix-specific, and
can affect any STARTTLS stack in which buffering happens above the
underlying I/O stack, and persists across STARTTLS. The Postfix
exposure was addressed back in 2011, and a broader advisory was
published at the time, which noted out potential exposure in other
systems.
> We learned that this vulnerability is still very prevalent in current
> servers and that clients suffer from simliar vulnerabilities. We also
> found some IMAP specific vulnerabilities.
What's new here, is largely a survey to see whether the issue Wietse
observed and reported in 2011 has at this point been attended to in
various other products, plus a more detailed exploration of how any
still vulnerable systems can be abused.
> Our research has not focussed on the server-to-server part.
By and large the extant MTAs were either immune by (accidental) virtue
of the internal I/O layering design, or were remediated circa 2011.
> Still I think particularly the buffering / injection vulnerabilities
> are a concern if one wants to secure s2s communication with mechanisms
> like MTA-STS.
MTA-STS is very thinly deployed, and many deployments have remained in
"testing" mode (for multiple years) to this day:
$ curl -sLo - https://mta-sts.yahoo.com/.well-known/mta-sts.txt
version: STSv1
mode: testing
mx: *.am0.yahoodns.net
mx: *.mail.gm0.yahoodns.net
mx: *.mail.am0.yahoodns.net
max_age: 86400
Legitimate sending MTAs that validate Yahoo's (or other) MTA-STS
policies are not exposed to this issue, unless their own (client SMTP)
stack has STARTTLS buffering problems, in which case some forged
cleartext could be pipelined (by an MiTM) with the server's cleartext
STARTTLS command response.
> I strongly recommend that users of MTA-STS audit their STARTTLS
> implementations for buffering bugs.
The issue isn't particularly MTA-STS specific, it should be addressed
whether or not MTA-STS is supported.
> (We found a buffering bug in Yahoo's MX servers, and Yahoo is one of
> the companies driving MTA-STS.
I wouldn't exactly call staying in testing mode for ~3 years "driving".
> I was unable to report this properly to Yahoo, I reported it through
> their Hackerone bugbounty program, but the bug triagers were unwilling
> to try to understand the issue and didn't forward it to Yahoo.)
Yahoo appears to be "on life support", so I'm not surprised if there is
little movement on technical issues.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
