[committee] Vulnerability Notification about Email Auto-configuration - Round 2
sswen at mail.ustc.edu.cn
sswen at mail.ustc.edu.cn
Tue Aug 27 09:42:50 AWST 2024
Hello,
I am a security researcher at USTC, China. Recently, our group has discovered some defects around email auto-configuration [1, 2, 3, 4] regarding the process of transmitting configuration information between client and server and would like to inform you about issues in your server.
- DNS SRV records are not protected by DNSSEC. DNSSEC prevents DNS spoofing by providing origin authentication of DNS data. Although the deployment of DNSSEC is limited at this time, DNSSEC is supported by most reputable authoritative servers, and administrators are strongly encouraged to use DNSSEC to protect all DNS RR.
Please double-check your auto-configuration deployment against the DNS SRV records as shown in the attached figure yourself or contact your service providers. If you have any other concerns, don't hesitate to contact me.
P.S. We performed a similar notification campaign last month (replies are in progress), which focused on reporting on whether the content of the configuration information provided contributed to the establishment of secure connections. This time, we are primarily reporting on security defects during the transmission of configuration information.
Best regards,
Shawn
[1] https://datatracker.ietf.org/doc/draft-bucksch-autoconfig/00/
[2] https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d.pdf
[3] https://datatracker.ietf.org/doc/html/rfc6186
[4] https://datatracker.ietf.org/doc/html/rfc8314
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRV_Records.PNG
Type: image/png
Size: 36297 bytes
Desc: not available
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20240827/fa1d2138/attachment.png>
More information about the committee
mailing list