CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation

[Dimitrios Glynos <dimitris () census-labs com>]

Hello,

Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21
(and possibly previous versions) do not perform a certificate validation
check when configured for IMAP in STARTTLS mode. This bug affects Canary
Mail builds for Apple MacOS and iOS.

It is thus possible to carry out a man-in-the-middle attack in such
scenarios, and victim users receive no warning. More information
about the issue can be found here:

https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/

The creators of Canary Mail, have released version 3.22
of the software which addresses the issue. The relevant git commit
can be found here:

https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split

CVE-2021-26911 was assigned to this issue by MITRE.

Kind regards,

Dimitris

Attachment: signature.asc
Description: OpenPGP digital signature