Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5d2e2615-eed6-40ac-2788-3e4a882e2f80@census-labs.com>
Date: Wed, 17 Feb 2021 20:06:00 +0200
From: Dimitrios Glynos <dimitris@...sus-labs.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate
 validation

Hello,

Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21
(and possibly previous versions) do not perform a certificate validation
check when configured for IMAP in STARTTLS mode. This bug affects Canary
Mail builds for Apple MacOS and iOS.

It is thus possible to carry out a man-in-the-middle attack in such
scenarios, and victim users receive no warning. More information
about the issue can be found here:

https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/

The creators of Canary Mail, have released version 3.22
of the software which addresses the issue. The relevant git commit
can be found here:

https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split

CVE-2021-26911 was assigned to this issue by MITRE.

Kind regards,

Dimitris



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.