TLS is currently the most widely used encryption technology. However, due to historical reasons, the TLS protocol is not used directly in the mail protocol but negotiated through STARTTLS. STARTTLS can be used in SMTP, POP3, TMAP and other mail communication protocols to upgrade the transmission process from plaintext to encrypted connection without the need to use a separate communication encryption port. The introduction of STARTTLS has increased complexity and also introduced potential attack methods such as command injection.
At the 30th USENIX Security Symposium Security Conference held on August 11-13, researchers found 40 unfixed security vulnerabilities in different STARTTLS implementations, and about 320,000 mail servers were affected by command injection attacks. Attackers can use these security vulnerabilities to perform man-in-the-middle attacks, forge email client content and steal relevant credential information.
The vulnerability affects multiple mainstream email clients, including Apple Mail, Gmail, Mozilla Thunderbird, Claws Mail, Mutt, Evolution, Exim, Mail.ru, Samsung Email, Yandex and KMail. The attack process requires the malicious party to modify the connection between the mailbox client and the mailbox server and have the login credentials of the account on the mail server.
The email client must authenticate with a user name and password before submitting new emails or accessing existing emails. For these connections, the transition from STARTTLS to TLS must be strictly implemented, because security downgrades will reveal user names and passwords, and attackers can have full access to email accounts.
In another scenario, the attacker can also forge the content of the email. Before the TLS handshake, you can insert additional content in the server message as a response to the STARTTLS command, and the client will be induced to process the server command as if it were part of an encrypted connection. Researchers call this attack response injection.
The IMAP protocol defines the standard for the mailbox client to extract mail messages from the mailbox server through a TCP/IP connection. PREAUTH is a response, indicating that the connection has been authenticated by an external method. Malicious attackers can send PREAUTH messages to prevent connection upgrades and force the client to use non-encrypted connections to bypass the STARTTLS implementation in IMAP.
The researchers analyzed the STARTTLS in SMTP, POP3 and IMAP, and developed a semi-automated test tool set EAST containing more than 100 test cases, covering STARTTLS removal, command and response injection, modification attacks, UI spoofing attacks, etc. The main focus of the research is the confidentiality and integrity of email sending and email retrieval. Through the analysis of 28 clients and 23 servers, the researchers found more than 40 STARTTLS vulnerabilities. Attackers can use these vulnerabilities to launch attacks such as mailbox spoofing and credential theft. Only 3 of the 28 clients did not have any STARTTLS-related security issues, and only 7 of the 23 tested servers did not find any security issues.
Researchers conducted Internet scans and found that more than 320,000 mailbox servers (approximately 2%) were affected by command injection attacks.
Compared to STARTTLS, implicit TLS is more secure. Researchers recommend that users configure their email clients to use SMTP, POP3, and IMAP (ports 465, 995, and 993, respectively) with implicit TLS configured to provide TLS functionality by default.