STARTTLS implementations in email clients & servers plagued by 40+ vulnerabilities
Catalin Cimpanu August 18, 2021

STARTTLS implementations in email clients & servers plagued by 40+ vulnerabilities

STARTTLS implementations in email clients & servers plagued by 40+ vulnerabilities

  • Academics discover more than 40 vulnerabilities in the STARTTLS implementation in email clients and email servers.
  • Vulnerable email clients include Thunderbird, Apple Mail, Gmail for Android, Samsung Email.
  • Researchers recommend that users stop using STARTTLS and use their email app's pure TLS-only mode instead.

A group of German academics said they discovered more than 40 security flaws in the implementation of the STARTTLS feature in today’s most popular email clients and email servers.

Also known as Opportunistic TLSSTARTTLS refers to a set of protocol extensions used by email clients and servers to upgrade older email protocols like POP3, IMAP, and SMTP from sending data via a plaintext connection to a secure TLS-encrypted channel.

Developed in the late 90s, STARTTLS worked by checking if a connection could be set up via TLS and then negotiating the TLS connection with all involved parties before sending the email data.

Although the entire STARTTLS negotiation process was fragile and prone to errors, STARTTLS came at a time when there was no broad support for encrypted connections in email clients and email servers. Lacking better alternatives at the time, most users and servers admins chose to enable STARTTLS as a temporary solution until TLS support got broader adoption across the internet.

Today, things have changed. Almost all major email clients and email servers support a pure TLS-only mode where all old protocols like POP3, IMAP, and SMTP are funneled by default via an encrypted channel that safeguards email communications from tampering or wiretapping, with email clients refusing to send emails if a secure TLS connection can’t be established.

However, there are still millions of email clients and hundreds of thousands of email servers where STARTTLS is supported and still enabled.

Users advised to move from STARTTLS to TLS-only modes

In a research project presented at the USENIX 2021 security conference last week, academics said they found more than 40 vulnerabilities in STARTTLS client and server implementations that could be abused to downgrade STARTTLS connections to plaintext forms, intercept email communications, steal passwords, or tamper with email inboxes.

While these attacks required a MitM (Man/Meddler-in-the-Middle) position in order to interact with the STARTTLS initial negotiation process, the research team said that “these vulnerabilities are so common that we recommend to avoid using STARTTLS when possible” and that users and administrators should move to update their clients and servers to using TLS-only connections as soon as possible.

STARTTLS+TLS-options
Thunderbird client connection security settings

The good news is that the researchers have spent the past few months working with email client and server vendors to patch the 40+ vulnerabilities they discovered.

While users have the option to apply these patches and continue using STARTTLS to be safe from attacks, researchers advise that users update their client and server settings and set TLS-only as the default email communication security setting by default, something that other security experts have also been recommending since 2014 already.

Below is a summary of the issues discovered by the research team and the affected email clients and email servers.

Summary of STARTTLS client vulnerabilities

STARTTLS-client-list
Response Injection (Buffering)
ProductProtocolStatusLinks
Apple Mail (macOS)SMTP/POP3/IMAPFixed in macOS High Sierra 10.13.6/Big Sur 11.4CVE-2020-9941, CVE-2021-30696
Apple Mail (iOS/iPadOS)SMTP/POP3/IMAPFixed in iOS/iPadOS 14.0CVE-2020-9941
Mozilla ThunderbirdIMAPFixed in 78.7.0CVE-2020-15685, Vendor advisory, Bug report (restricted)
Claws MailSMTP/POP3/IMAPFixed in 3.17.6 for SMTP/POP3, See libEtPan for IMAPCVE-2020-15917
MuttIMAP/SMTP/POP3Fixed in 1.14.4CVE-2020-14954
NeoMuttIMAP/SMPT/POP3Fixed in 2020-06-19Commit/Patch, see also CVE-2020-14954
EvolutionSMTP/POP3Fixed in 3.36.4 (evolution-data-server)CVE-2020-14928
LibEtPan (Mail Framework for C Language)IMAP/SMTP/POP3Fixed in repository, unreleasedCVE-2020-15953
Exim (MTA sending)SMTPUnfixed (reported privately)
Gmail (iOS/iPadOS)SMTP/IMAPUnfixed (reported privately)
Mail.ru, MyMailSMTPUnfixed (reported privately, report closed as not applicable)
YandexSMTP/IMAPUnfixed (reported privately)
PHP (stream_socket_enable_crypto)SMTP/POP3/IMAPUnfixedBug report (private)
Negotiation and Tampering bugs
ProductDescriptionProtocolStatusLinks
Gmail (Android)Leak of emailsIMAPFixed (retested in 2021.07.11.387440246)
Gmail (Go)Leak of emailsIMAPFixed (retested in 2020.10.15.341102866)
Samsung EmailLeak of emailsIMAPFixed (untested)
AlpineUntagged responses accepted before STARTTLSIMAPUnknown (reported via email)
TrojitáUntagged responses accepted before STARTTLSIMAPUnknownBug report
Mozilla ThunderbirdServer responses prior to STARTTLS processedIMAPFixed in 78.12CVE-2021-29969, Vendor advisory
KMailSTARTTLS ignored when “Server requires authentication” not checkedSMTPUnknownBug report
SylpheedSTARTTLS strippingIMAPUnknownBug report
OfflineIMAPSTARTTLS strippingIMAPUnknownBug report
GMX / Web.de Mail CollectorSTARTTLS strippingPOP3/IMAPFixed
Mail.ru, MyMail, Email app for GmailSTARTTLS StrippingSMTPUnfixed (report closed as not applicable)
Avoiding Encryption via IMAP PREAUTH
ProductStatusLinks
Apple Mail (iOS/iPadOS)Reported February 2020, Re-reported August 2021, Unfixed
Mozilla ThunderbirdFixed in 68.9.0CVE-2020-12398
AlpineFixed in 2.23CVE-2020-14929, Commit
MuttFixed in 1.14.3CVE-2020-14093
NeoMuttFixed in Release 2020-06-19Commit/Patch, see also CVE-2020-14093
GMX / Web.de Mail CollectorFixed
Certificate Validation
ProductProtocolDescriptionStatusLinks
OfflineIMAPIMAPAccepts untrusted certificatesUnknownBug report
GMX / Web.de Mail CollectorPOP3/IMAPAccepts untrusted certificatesStill allows self-signed
YandexSMTP/IMAPAccepts untrusted certificatesUnknown (report closed as not eligible)
Mail.ru, MyMailSMTPAccepts untrusted certificates (SMTP, IMAP)Unknown (report closed as duplicate)
Outlook (Android & iOS)SMTP/IMAPCertificate hostname not checked (SMTP, IMAP)Unknown (report closed as low/medium severity)
GearySMTP/IMAPAccepting an untrusted certificate creates a permanent trust exception for all certificatesFixed in 3.36.3CVE-2020-24661
TrojitáSMTPAccepts untrusted certificatesFixed in repository (77ddd5d4) (no official releases)CVE-2020-15047
Ruby Net::SMTPSMTPOnly checks hostname, ignores certificate signatureFixed in 2.7.2Bug report
Crashes
ProductProtocolDescriptionStatusLinks
AlpineIMAPCrash when LIST or LSUB send before STARTTLSUnknown (reported via email)
BalsaIMAPNullptr dereference when TLS required and PREAUTH sendFixed in 2.5.10CVE-2020-16118
BalsaIMAPStack overflow due to repeated BAD answer to CAPABILITY commandFixed in 2.6.2 (no release yet)Bug Report
BalsaIMAPCrash on untagged EXPUNGE responseFixed in commit 26e554ac (no release yet)Bug Report
EvolutionIMAPInvalid free when no auth mechanisms in greetingFixed in >3.35.91CVE-2020-16117
Miscellaneous
ProductProtocolDescriptionStatusLinks
KMailPOP3Setup wizard in POP3 defaults to unencrypted connectionsFixed in 20.08Bug Report
KMailPOP3Config shows “encrypted”, but it isn’tFixedCVE-2020-15954
KMailSMTP/IMAPDialog loop “forces” the user to accept invalid certificatesUnknownBug Report
Mozilla ThunderbirdPOP3Infinite loop when POP3 server replies with -ERR to STLS commandUnknownBug Report
TrojitáSMTP/IMAPHard to choose implicit TLS due to typo (German)FixedBug Report
TrojitáSMTPSMTP defaults to plaintext on port 587UnknownBug Report

Summary of STARTTLS server vulnerabilities

STARTTLS-server-list
Command Injection (Buffering)
ProductProtocolStatusLinks
Nemesis (used by GMX / Web.de, provider)POP3/IMAPFixed (reported privately)
Interia.pl (provider)SMTP/POP3/IMAPFixed (reported privately)
Yahoo (only MTA-to-MTA, provider)SMTPUnfixed (reported privately)
Yandex (provider)SMTP/POP3/IMAPUnfixed (reported privately)
s/qmailSMTPFixed in 4.0.09CVE-2020-15955
CoremailSMTP/POP3/IMAPUnfixed (reported via CERT)
CitadelSMTP/POP3/IMAPUnfixedCVE-2020-29547, Bug report
Gordano GMSPOP3/IMAPUnfixedCVE-2021-37844
recvmailSMTPFixed in 3.1.2 (reported privately)
SmarterMailPOP3Fixed in Build 7537CVE-2020-29548
Burp CollaboratorSMTPFixed in 2020.9.2Bug report, Vendor release notes
DovecotSMTPFixed in 2.3.14.1 and 2.3.15CVE-2021-33515
Mercury/32SMTP/POP3/IMAPFixed in 4.90CVE-2021-33487
QMail Toaster (1.4.1)SMTPProject discontinued
CourierPOP3Fixed in 1.1.5 (reported privately), known since 2013Discussion from 2013, CVE-2021-38084, Fix
PHP (stream_socket_enable_crypto)SMTP/POP3/IMAPUnfixedBug report (private)
Session Fixation
ProductProtocolStatusLinks
CitadelPOP3/IMAPReported via forum, unfixedForum with report, CVE-2021-37845
IPswitch IMailPOP3/IMAPReported via Mail, unfixedCVE-2021-37846
Miscellaneous Issues
ProductProtocolDescriptionStatusLinks
Nemesis (used by GMX / Web.de, provider)SMTPAdvertises authentication before STARTTLS even though it is disabledFixed (reported via Bugbounty)

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.