Security researchers discovered a vulnerability, CVE-2021-33515, in the underlying technology deployed by most email servers running the IMAP protocol (Internet Message Access Protocol). The vulnerability has been around for at least a year, allowing attackers to bypass TLS email protections and snoop on messages.
Related: Four Zero-Days Patched in Microsoft Exchange E-Mail Server
CVE-2021-33515 In Detail
Fortunately, the bug which was first reported in August last year is now patched. The issue stems from the email server software called Dovecot, which is used by the majority of IMAP severs.
According to researchers Fabian Ising and Damian Poddebniak from Münster University of Applied Sciences, the CVE-2021-33515 vulnerability creates the possibility of a MITM attack. “During our research into the security of email servers at Münster University of Applied Sciences, we found a command injection vulnerability related to STARTTLS in Dovecot,” the researchers said in their report.
The flaw could allow a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker. However, it should be noted that an attacker needs to have sending permissions on the Dovecot server.
A successful exploit could allow a MITM attacker to steal SMTP user credentials and mails, the researchers warned.
According to Ubuntu’s advisory:
On-path attacker could inject plaintext commands before STARTTLS negotiation that would be executed after STARTTLS finished with the client. Only the SMTP submission service is affected.
Fortunately, the vulnerability, which Tenable rated as critical has already been pathed. A patch is available for Dovecot running on Ubuntu. Affected parties should update to Dovecot version v2.3.14.1 and later. Workaround fixes are also available, such as disabling START-TLS and configuring Dovecot to only accept pure TLS connections on port 993/465/995. However, the attack must be mitigated on the server, the researchers pointed out.