Subject: SSL certificate validation problems in Ximian Evolution Date: 03 Oct 2002 14:00:35 +0200 From: Veit Wahlich <veit@legalized.de> To: bugtraq@securityfocus.com Discovered: 2002-09-08, Ximian has been informed on 2002-09-09. Impact: medium, if SSL (IMAPS, SMTPS, POP3S) used none, if not Affected: Ximian Evolution 1.0.x and earlier Description: Due to missing SSL validation code, Evolution's camel component is vulnerable to common SSL man-in-the-middle attacks, independent of the SSL issues currently in discussion. Certificates accepted once are no longer checked by camel. The behavior described below has been verified using both self-signed certificates as well as a regular valid Thawte-signed certificate (but regarded invalid by camel) for the server and a self-signed certificate for the attacker. As the valid certificate has been regarded invalid, it is also needed to be checked out with a certificate from valid oder valid-made CA. Solution: According to Ximian, Evolution 1.1.x (beta of upcoming 1.2 branch) is no longer affected, so those people who would like to trust in SSL connections should consider upgrading. Ximian has released Evolution 1.1.1. Exploitation Details: Imagine e.g. an IMAP connection over SSL. After a connection breakdown, Evolution quietly re-establishes the IMAPS connection on next access - but it seems to not check the identity of the peer. During the time period no connection is established, the certificate is replaced, e.g. by a SSL m-i-t-m attack, by the attacker's self-signed certificate, allowing him to read and even modify all data transfered. The attacker might also setup SSL m-i-t-m filters first and then drop/kill the connection still established. Evolution re-establishes the connection without showing any warning dialog. Using POP3 and SMTPS over the same certificates (and host) does not postulate any validation as well. Regards, // Veit Wahlich
there is no fix avaiable for this from what I've seen, We better issue a warning and suggest to not trust ssl in this version 1.1.x are unstable betas, not sure if we want to support those. I know I would rather not support evo at all, but I'm biased.
Evolution 1.2's been in portage for about a month now. Only Bug 11429 is filed against it here, and that one appears to be a weird 'works for everyone but reporter' type. Time to unmask it (at least so far as the unstable profile is concerned), perhaps? Note this (http://forums.gentoo.org/viewtopic.php?t=23919) thread on the forums, though. I've experienced this crash as well, and can confirm that the usage of the linked replacement file eliminates them.
It has other issues as well. For instance, it will crash when trying to add or view attachments with gnome-mime-data-2 and not version 1. I guess we should add a bug by Ximian if not already ...
too late