Security researchers have disclosed as many as 40 different vulnerabilities associated with an opportunistic encryption mechanism in mail clients and servers that could open the door to targeted man-in-the-middle (MitM) attacks, permitting an intruder to forge mailbox content and steal credentials affecting 320,000 email servers
Some of the popular clients affected by the bugs include Apple Mail, Gmail, Mozilla Thunderbird, Claws Mail, Mutt, Evolution, Exim, Mail.ru, Samsung Email, Yandex, and KMail. The attacks require that the malicious party can tamper connections established between an email client and the email server of a provider and has login credentials for their own account on the same server.
STARTTLS refers to a form of opportunistic TLS that enables email communication protocols such as SMTP, POP3, and IMAP to be transitioned or upgraded from a plain text connection to an encrypted connection instead of having to use a separate port for encrypted communication.
Upgrading connections via STARTTLS is fragile and vulnerable to a number of security vulnerabilities and attacks, allowing a meddler-in-the-middle to inject plaintext commands that a server would be interpret as if they were part of the encrypted connection thereby enabling the adversary to steal credentials with the SMTP and IMAP protocols.
Email clients must authenticate themselves with a username and password before submitting a new email or accessing existing emails. For these connections, the transition to TLS via STARTTLS must be strictly enforced because a downgrade would reveal the username and password and give an attacker full access to the email account
A malicious actor can bypass STARTTLS in IMAP by sending a PREAUTH greeting a response that indicates that the connection has already been authenticated by external means to prevent the connection upgrade and force a client to an unencrypted connection.
Stating that implicit TLS is a more secure option than STARTTLS, the researchers recommend users to configure their email clients to use SMTP, POP3 and IMAP with implicit TLS on dedicated ports, in addition to urging developers of email server and client applications to offer implicit TLS by default.
The demonstrated attacks require an active attacker and may be recognized when used against an email client that tries to enforce the transition to TLS. Always update software to latest…..