oss-sec mailing list archives
CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation
From: Dimitrios Glynos <dimitris () census-labs com>
Date: Wed, 17 Feb 2021 20:06:00 +0200
Hello, Rayd Debbas of CENSUS identified that Canary Mail versions 3.20 and 3.21 (and possibly previous versions) do not perform a certificate validation check when configured for IMAP in STARTTLS mode. This bug affects Canary Mail builds for Apple MacOS and iOS. It is thus possible to carry out a man-in-the-middle attack in such scenarios, and victim users receive no warning. More information about the issue can be found here: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/ The creators of Canary Mail, have released version 3.22 of the software which addresses the issue. The relevant git commit can be found here: https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018?branch=45acb4efbcaa57a20ac5127dc976538671fce018&diff=split CVE-2021-26911 was assigned to this issue by MITRE. Kind regards, Dimitris
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2021-26911: Canary Mail with IMAP STARTTLS missing certificate validation Dimitrios Glynos (Feb 17)