Transport Layer Security (TLS) is one of the best-analyzed and most widely used encryption technologies. But for historical reasons, TLS for the email protocol is generally not used directly but negotiated through STARTTLS. However, it added complexity and became liable to security vulnerabilities, such as command injection attacks and naive STARTTLS stripping.
Security researchers exposed nearly 40 different vulnerabilities linked with an opportunistic encryption method in the email clients and servers. The abuse of STARTTLS vulnerabilities could open the gateway to the intended man-in-the-middle attacks, allowing an invader to produce mailbox content and steal user credentials.
They conclude that STARTTLS is vulnerable and should be avoided due to being under-specified in the standards. However, there are still hundreds of thousands of email servers and millions of email clients that support STARTTLS.
Before proceeding further, let’s first know about the STARTTLS.
Table of Contents
What Is STARTTLS?
STARTTLS refers to the standard protocol used to notify the email server that the client wants to move from an insecure connection to a secure one via TLS or SSL. While using Simple Mail Transfer Protocol (SMTP) for sending an email, a combination of STARTTLS and TLS/SSL is used to encrypt the email. STARTTLS is used to establish a secure connection between the two servers, and once it is established successfully, communication between the servers is encrypted.
An email client uses Transmission Control Protocol (TCP) while sending and receiving email using a transport layer to initiate a handshake with an email server. The email client informs the email server which version of TLS or SSL is running, which compression mechanisms it wants to use, and what cipher suits ( a set of processes leveraged to negotiate the security settings) during the setup process.
Once the setup is finished, the email server performs the identity verification to the email client by sending a certificate that trusted the user’s software. It ensures that the email client is not sending mail to an intruder. A key is exchanged between the client and server upon verification. It allows all messages to be sent and received using encryption.
How STARTTLS Vulnerabilities Affect Popular Email Clients?
A group of German researchers, Fabian Ising, Damian Poddebniak, Sebastian Schinzel, and Hanno Böck at the 30th USENIX Security Symposium, identified the now-patched flaws in various STARTTLS implementations. They perform a first structured analysis of the STARTTLS in POP3, SMTP, and IMAP and initiate EAST. It is a semi-automatic testing kit with over 100 test cases. It covered a wide range of STARTTLS stripping variants, tampering attacks, command and response injections, and UI spoofing attacks for email protocols.
Researchers used EAST to examine 28 email clients and 23 servers and reported more than 40 STARTTLS issues. Some of them allow credential stealing, mailbox spoofing, and hosting HTTPS, along with a cross-protocol IMAP attack. An Internet-wide scan was conducted during the research for the command injection attack and discovered 320,000 vulnerable email servers.
Several clients were prone to STARTTLS vulnerabilities, such as STARTTLS stripping attacks. Some of the famous customers influenced by the flaws include Gmail, Apple Mail, Claws Mail, Mozilla Thunderbird, Exim, Evolution, Mutt, Samsung Email, Mail.ru, KMail, and Yandex.
In STARTTLS, each connection initiates in the plaintext and is later upgraded to TLS using a protocol-specific message exchange. Many SMTP servers leverage weak TLS configurations, such as untrusted, invalid, or expired TLS certifications resulting in rejected emails if the server required strong validation. Due to this, email relaying is usually opportunistic because SMTP servers back off to plain text if the TLS negotiation fails.
Attacks Prone To STARTTLS Vulnerabilities
Researchers defined STARTTLS vulnerabilities as those that would not lie if implicit TLS had been exclusively used. They conducted a test that captures STARTTLS issues defined in the standard and gives a basis to detect the novel ones. Here we are going to discuss attacks that are prone to STARTTLS vulnerabilities.
#1. STARTTLS Command Injection Attack
Command injection attack was previously defined for the SMTP but then extended to IMAP and POP3 by modifying the protocol messages. The client sends two commands in one TCP segment. The server adjoins the complete request to a buffer and then parses and divides the command from the buffer. Once the server acknowledges the STARTTLS command, it will promptly begin the transition to TLS and wrap each TCP socket in the TLC socket.
Though, the trailing data after the STARTTLS command stays in the buffer. The server can assume that the command was sent via TLS if the server does not flush the buffer. In this scenario, the server does not flush the buffer, translate the NOOP command inside the TLS, and acknowledges an encrypted answer. The effect of this attack is similar to the TLS session splicing attack.
#2. STARTTLS Response Injection Attack
Researchers generalized the STARTTLS command injection attack to a client-side response injection attack. The server inserts data after the STARTTLS response. It will wait for the server response when the client issues NOOP. Because the server response already exists in the client’s buffer, it will directly evaluate the response. The response was injected as the client proceeded. For example, by sending another command and hinders otherwise, they conclude that the issue is present.
#3. PREAUTH Command
An attacker bypassed the STARTTLS by sending the PREAUTH command. It’s easy to see as the client proceeded to SELECT the inbox instead of terminating the connection. At this point, the intruder has full control over the client and only needs to mimic an IMAP server for tampering with the client’s mailbox data. Sensitive data is leaked if the client synchronizes the draft and the sent emails. However, as PREAUTH notifies the MUA that is already authenticated, it will not expose user credentials.
#4. Malicious Redirects
Mailbox referrals are helpful when combined with PREAUTH greetings. As an attacker bypass STARTTLS security with a PREAUTH greeting, they can escalate the problem by responding with a redirect to the client’s SELECT command. It notifies the client that the selected mailbox is available on another server. The attacker can select a domain and use a server for which they have a valid X.509 certificate. It will immediately leak the user credential to the hacker if the client uses this referral.
How STARTTLS vulnerabilities affect popular email servers?
STARTTLS vulnerabilities affect popular email servers using the following ways.
1. Stealing login Credentials With IMAP And SMTP
In 2011, Wietse Venema defined a bug in STARTTLS implementations allowing injecting plaintext commands. The server interprets these commands as if they were part of an encrypted connection. It works by sending more commands with the STARTTLS command in the same TCP segment. This command injection is used to steal user credentials using IMAP and SMTP protocols.
The attack needs a Meddler-in-the-middle attacker to modify network traffic and has login credentials for their account on that server. The malicious actor can insert commands that authenticate them and start sending or storing an email. The hacker can access the login credentials sent by the target.
2. Mailbox Content Forgery
Researchers discovered an attack that is similar to the command injection in the email client application and called it a response injection. Facilitating the mailbox forgery by inserting the additional content to server mail in response to the STARTTLS command before a TLS handshake. If the clients were part of an encrypted connection, they can be tricked into processing server commands.
3. IMAP Connection Downgrade
In an IMAP protocol, the server can alert the client in the first mail that it has been authenticated by the PREAUTH command. The protocol prohibits the use of the STARTTLS command in the authenticated state. Thus, if a client app accepts the PREAUTH command, it can’t enforce STARTTLS. A Meddler-in-the-middle attacker may use it to prevent the STARTTLS to upgrade the connection and force a client to use an unencrypted connection.
This issue is severe in combination with the IMAP features Mailbox Referrals and Login Referrals. These commands let a server instruct a client to log into another IMAP server. An attacker can use these referrals to force clients to send credentials using the PREAUTH to prevent an encrypted connection. Fortunately, many clients do not support these referral features.
How You Can Protect From STARTTLS Attacks?
Here are some recommendations that can protect from STARTTLS attacks.
#1. Recommendations For Email Client Users
Email clients should authenticate themselves with a username and strong password before sending a new email or opening existing emails. Moreover, the transitions towards TLS using STARTTLS must be enforced because a downgrade can reveal the username and password and allow an intruder to access the email account.
According to the researchers, implicit TLS is more secure than STARTTLS, and for users, it is recommended to configure their email clients to use POP3, SMTP, and IMAP with implicit TLS on dedicated ports, such as SMTP submission on port 465, IMAP on port 993, and POP3 on port 995.
#2. Recommendations For Mail Server Administrators
Make sure to use secure connections while securing your mail servers. Encrypt IMAP and POP3 authentication and use TLS and SSL. Moreover, limit the number of connection and authentication errors to avoid attacks. Eliminate unused functionalities from the server by disabling unnecessary default settings. Mail server administrators should avoid being an open relay for intruders by specifying the domains and IP addresses.
To protect your mail servers from unauthorized access, implement access control and authentication. For example, SMTP requires users to have a username and password to send mail from the server. Check DNS-based checklist and do not accept emails from any IPs or domains listed on them.
#3. Recommendation For Application Developers
Both the client applications and email servers should provide implicit TLS by default. Software developers may not support STARTTLS in the long term and thus simplify their code and configuration files and dialogs. It is recommended to audit all applications supporting STARTTLS, both on the server and client-side, to discover bugs. Moreover, applications need to ensure that no unencrypted content is processed as part of an encrypted connection. PREAUTH in combination with the STARTTLS must not be allowed by the IMAP application. EAST toolkit helps in application testing.
Tools To Test STARTTLS Vulnerabilities
Tools To Test Email Servers
- EAST Toolkit
Email Analysis Toolkit (EAST) is for the email server tests that support SMTP, IMAP, POP3, and STARTTLS. It can be configured to run precise message flows. It’s a semi-authentic toolkit with over 100 test cases that covers a wide range of STARTTLS stripping variants, tampering attacks, command and response injection, and UI spoofing attacks for email protocol.
- Command injection tester
It’s a free command-line tool that checks the services of a server on any port for supporting the SSL/TLS ciphers, cryptographic flaws, and protocols.
It’s a Java-based framework to analyze TLS libraries. It can send arbitrary protocol messages in arbitrary order to peers and describe their modifications through a provided interface. It allows developers to define a custom TLS protocol flow and test it against the TLS library.
TLS-Scanner tool is used to help security researchers and pen testers to evaluate TLS Server configurations.
Tool To Test Email Clients
Fail Mail Server
The Fake Mail Server acts as a normal email server with the difference that it can be configured to respond to any command. The exact behavior can be configured with the test case configurations.
A group of German researchers performed the first thorough, systematic analysis of the STARTTLS vulnerabilities. The inconsistencies in the standards between the IMAP features, especially PREAUTH, referrals, and unsolicited response allow attacks, such as credential stealing. In this article, we have discussed several flaws in the email client and server implementation. STARTTLS has systematic issues leading to implementation vulnerabilities, such as no security advantage over implicit TLS, slower than TLS, and that STARTTLS is insufficiently specified. Therefore, it’s better to use implicit TLS for email submission and retrieval.
As we promised, we have covered, what is STARTTLS, attacks prone to STARTTLS Vulnerabilities, how to protect from the attacks, and most important: tools needed to validate the vulnerability.