[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation
From:       Dimitrios Glynos <dimitris () census-labs ! com>
Date:       2021-02-17 18:06:00
Message-ID: 5d2e2615-eed6-40ac-2788-3e4a882e2f80 () census-labs ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


Hello,

Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21
(and possibly previous versions) do not perform a certificate validation
check when configured for IMAP in STARTTLS mode. This bug affects Canary
Mail builds for Apple MacOS and iOS.

It is thus possible to carry out a man-in-the-middle attack in such
scenarios, and victim users receive no warning. More information
about the issue can be found here:

https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/


The creators of Canary Mail, have released version 3.22
of the software which addresses the issue. The relevant git commit
can be found here:

https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split


CVE-2021-26911 was assigned to this issue by MITRE.

Kind regards,

Dimitris


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]