The Email Bug (Credential Theft)

Researchers recently now warning that hackers can snoop on the email messages by just exploiting a bug in the underlying technology that is used by the majority of the email servers that are now running the Internet Message Access Protocol, which is commonly referred to as the IMAP. The bug, first reported in the month of August 2020 and patched Monday, is tied to the email server software Dovecot, and is used by over three-quarters of IMAP servers, according to the Open Email Survey.

The vulnerability has really now opened the door to what is called the ‘meddle in the middle’ (the MITM) attack, according to a report that was carried out by the researchers Fabian Ising and Damian Poddebniak, also with the Münster University of Applied Sciences, that is based in Germany.

The vulnerability has allowed the MITM attacker that is why they now have the chance yo operate with a mail client and the Dovecot injecting unencrypted commands into the encrypted TLS context, which will now begin redirecting the user credentials and the users mails to the attacker,” according to the research that was linked to from a bug bounty page and dated the month of August 2020.

Bypassing TLS and Certificates
The flaw experienced centers around the implementation of the email instruction that is called START-TLS, a command that is issued between an email program and the server that is designed to secure the delivery of email messages, according to a technical description by the Anubisnetworks.

This bug gives room to [an attacker] so they will be able to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it also allows [an attacker] to mount a session fixation attack, which may possibly results in the stealing of credentials such as the SMTP username and the password,” researchers wrote.

A session fixation attack gives room for an adversary to hijack a client-server connection after the user have logged in, according to an OWASP description.

“For a possible attacks to be conducted, they will need to first have an account created, an account that is legit on the Dovecot server. The attacker will now wait for and [intercept] an encrypted connection on the (port 465) from a victim’s email client,” the researchers wrote. “Immediately the client just attempt to connect (unknowingly), the attacker will just initiate a separate “START-TLS” connection to the Dovecot and then they will injects their own malicious prefix, e.g. a login command.”

Researchers say that, due to the implementation flaw with the START-TLS in the Dovecot, the attacker can possibly login to the session and then forward the full TSL traffic from the targeted victim’s SMTP server as a part of its own session (initiated plan).

The attacker will have an access and obtain the full credentials from its inbox. At no point was the TLS broken or certificates compromised,” the researchers wrote. The pair also have outlined the bug in a proof of the concept attack.


Patches Available

There is a fix for the vulnerability, tracked as the CVE-2021-33515, and is available for the Dovecot running on the Ubuntu, the Linux distribution based on the Debian. The Dovecot version v2.3.14.1 and later mitigates the issue.


Leave a comment