730748 – (CVE-2020-14928) <gnome-extra/evolution-data-server-3.36.4: Response injection via STARTTLS (SMTP, POP3) (CVE-2020-14928)

Bug 730748 (CVE-2020-14928) - <gnome-extra/evolution-data-server-3.36.4: Response injection via STARTTLS (SMTP, POP3) (CVE-2020-14928)

Summary: <gnome-extra/evolution-data-server-3.36.4: Response injection via STARTTLS (S...

Status:	RESOLVED FIXED

Alias:	CVE-2020-14928

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://gitlab.gnome.org/GNOME/evolut...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:	807352
	Show dependency tree

Reported:	2020-07-04 18:21 UTC by Sam James
Modified:	2021-08-10 01:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	gnome-extra/evolution-data-server-3.36.4 mail-client/evolution-3.36.4 gnome-extra/evolution-ews-3.36.4
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-07-04 18:21:19 UTC

From URL:
"We found a STARTTLS issue in Evolution, which affects SMTP and POP3.
When the server responds with its "let's do TLS now message", e.g. +OK begin TLS\r\n, Evolution will read any data after the \r\n and save it into some internal buffer for later processing. 

This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I suspect that this is enough to forge an entire new POP3 mailbox.
There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). 

What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."

Example trace to give an intuition:

C: stls
S: +OK begin TLS
   +OK ack future user command // injected response
   +OK ack future pass command // injected response
<--- TLS --->
C: user alice
// here, Evolution interprets the first injected "+OK" response and proceeds...
C: pass password
// here, Evolution interprets the second injected "+OK" response and proceeds... 
...
An attacker can inject many more responses and (in the worst case) mimic a whole session."

Comment 1 Sam James archtester

2020-07-04 18:23:00 UTC

Fixed in 3.36.4, 3.37.3

https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/e3ce982c52aac2b094c6bc7fca7b746213714222

https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/ebb4a3d7576118b282b1e951a696bd7062b73749

Thanks to leio for pinging about this.

Comment 2 Larry the Git Cow gentoo-dev

2020-07-04 21:18:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80ea3296f50742cd45e11c9e873fb9998f6be688

commit 80ea3296f50742cd45e11c9e873fb9998f6be688
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-04 17:52:39 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-04 21:18:17 +0000

    gnome-extra/evolution-data-server: bump to 3.36.4, fixes CVE-2020-14928
    
    Bug: https://bugs.gentoo.org/730748
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-extra/evolution-data-server/Manifest         |   1 +
 .../evolution-data-server-3.36.4.ebuild            | 148 +++++++++++++++++++++
 2 files changed, 149 insertions(+)

Comment 3 Agostino Sarubbo gentoo-dev

2020-07-09 09:04:47 UTC

x86 stable

Comment 4 Sam James archtester

2020-07-17 00:05:15 UTC

amd64: ping

Comment 5 Agostino Sarubbo gentoo-dev

2020-07-17 07:22:59 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.