[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation
From: Dimitrios Glynos <dimitris () census-labs ! com>
Date: 2021-02-17 18:06:00
Message-ID: 5d2e2615-eed6-40ac-2788-3e4a882e2f80 () census-labs ! com
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
Hello,
Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21
(and possibly previous versions) do not perform a certificate validation
check when configured for IMAP in STARTTLS mode. This bug affects Canary
Mail builds for Apple MacOS and iOS.
It is thus possible to carry out a man-in-the-middle attack in such
scenarios, and victim users receive no warning. More information
about the issue can be found here:
https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
The creators of Canary Mail, have released version 3.22
of the software which addresses the issue. The relevant git commit
can be found here:
https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split
CVE-2021-26911 was assigned to this issue by MITRE.
Kind regards,
Dimitris
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic