Hackers can snoop on email messages by exploiting a bug in the underlying technology used by the majority of email servers that run the IMAP. The bug, first reported in August 2020 and patched now is tied to the email server software Dovecot, used by over three-quarters of IMAP servers which could lead to meddle-in-the-middle (MITM) attack.

The vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker.

A patch for the vulnerability, rated by the vendor as -severity and by the third-party security firm Tenable as critical, is available for download in the form of Dovecot version v2.3.14.1.

The flaw centers around the implementation of the email instruction called START-TLS, a command issued between an email program and server that’s designed to secure the delivery of email messages. This could lead to a session fixation attack.

A session fixation attack allows an adversary to hijack a client server connection after the user logs in. In order to conduct the attack, an attacker first creates a legit account on a Dovecot server. They now wait for and an encrypted connection on port 465 from a victim’s email client. As soon as the client connects, the attacker initiates a separate START-TLS connection to Dovecot and injects their own malicious prefix.

This implementation flaw with START-TLS in Dovecot, the attacker can login to the session and forward the full TSL traffic from the targeted victim’s SMTP server as part of its own session. Through which an attacker gains full credentials.

Fix and Workaround

A fix for the vulnerability, tracked as CVE-2021-33515, is available for Dovecot running on Ubuntu, the Linux distribution based on Debian. Dovecot version v2.3.14.1 and later mitigates the issue.

Workaround fixes includes disabling START-TLS and configuring Dovecot to only accept “pure TLS connections” on port 993/465/995.