[Standards] Fwd: [Uta] STARTTLS vulnerabilities

Peter Saint-Andre stpeter at mozilla.com
Wed Aug 11 17:08:13 UTC 2021

Perhaps of interest here...

-------- Forwarded Message --------
Subject: [Uta] STARTTLS vulnerabilities
Date: Wed, 11 Aug 2021 17:42:40 +0200
From: Hanno Böck <hanno at hboeck.de>
To: Uta at ietf.org


I wanted to share some research we have done on vulnerabilities in
STARTTLS implementations:

We started analyzing STARTTLS implementations in E-Mail servers and
clients based on the 2011 command injection discovered in Postfix. We
learned that this vulnerability is still very prevalent in current
servers and that clients suffer from simliar vulnerabilities. We also
found some IMAP specific vulnerabilities.

Focussing on client-to-server communication our recommendations are
mostly in line with what this working group has already concluded in
RFC 8314, which is that implicit TLS on its own port should be
preferred over STARTTLS.

Our research has not focussed on the server-to-server part. Still I
think particularly the buffering / injection vulnerabilities are
a concern if one wants to secure s2s communication with mechanisms like
MTA-STS. I strongly recommend that users of MTA-STS audit their
STARTTLS implementations for buffering bugs.
(We found a buffering bug in Yahoo's MX servers, and Yahoo is one of
the companies driving MTA-STS. I was unable to report this properly to
Yahoo, I reported it through their Hackerone bugbounty program, but the
bug triagers were unwilling to try to understand the issue and didn't
forward it to Yahoo.)

Hanno Böck

Uta mailing list
Uta at ietf.org

More information about the Standards mailing list