Closed dglynos closed 3 years ago
Hello, we were doing a quick functional test to Canary Mail, that uses a fork of mailcore2 and found it wasn't performing certificate validation when connecting to IMAP servers with STARTTLS. CVE-2021-26911 has been assigned to this issue. For more info on this, see: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
While investigating this further today, It seems that the vulnerability stems from mailcore2. Specifically, checkCertificate() is never called for ConnectionTypeStartTLS in https://github.com/MailCore/mailcore2/blob/5fb0f93010ff7af426e72e9066db8cb19b8154be/src/core/imap/MCIMAPSession.cpp#L658
This is a serious vulnerability as it allows for man-in-the-middle attacks as described in the aforementioned article.
Thank @dglynos for your contribution! Fixed at https://github.com/MailCore/mailcore2/commit/fad23d736ed5a63cf8321469d3a98a583f55df97
Thank @dglynos for your contribution! Fixed at fad23d7
You're welcome! @haithngn it would be a good idea to publish a mailcore2 release so that security advisories may point to the release for the fix. Do you think this is possible?
Hello, we were doing a quick functional test to Canary Mail, that uses a fork of mailcore2 and found it wasn't performing certificate validation when connecting to IMAP servers with STARTTLS. CVE-2021-26911 has been assigned to this issue. For more info on this, see: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
While investigating this further today, It seems that the vulnerability stems from mailcore2. Specifically, checkCertificate() is never called for ConnectionTypeStartTLS in https://github.com/MailCore/mailcore2/blob/5fb0f93010ff7af426e72e9066db8cb19b8154be/src/core/imap/MCIMAPSession.cpp#L658
This is a serious vulnerability as it allows for man-in-the-middle attacks as described in the aforementioned article.