[committee] Vulnerability Notification about Email Auto-configuration

sswen at mail.ustc.edu.cn sswen at mail.ustc.edu.cn
Thu Jul 4 04:20:31 AWST 2024 

Hello,

I am a security researcher at USTC, China. Recently, our research group have discovered a number of vulnerabilities around email auto-configuration [1, 2, 3, 4] and would like to inform you of affected issues with your server:

-	Inconsistent configuration information. Service providers that deploy more than one auto-configuration mechanism must ensure that the information in all configuration files is consistent. Otherwise, a man-in-the-middle (MiTM) attacker can drop packets or hijack TCP connections in such a way that only the least secure configuration information is available to the client.

    Suggestions:  
It has been shown [5] that there are systemic issues with STARTTLS that are likely to lead to implementation vulnerabilities. If possible, it is recommended to set the implicit TLS only (i.e., port in 465, 993 or 995) and add encrypted SRV service records (i.e., _imaps._tcp/_pop3s._tcp/_submissions._tcp).

Please check carefully your auto-configuration deployment against the URL paths or DNS SRV records as shown in the attached figure (e.g., example.com). Since this notification is part of our research project, we will re-check your configuration files to verify if the vulnerability has been fixed. If you wish to quit this check, please contact me at this email.

If you need further information or have any other questions, please do not hesitate to contact me.

Best regards,  
Shushang

[1] https://datatracker.ietf.org/doc/draft-bucksch-autoconfig/00/  
[2] https://msopenspecs.azureedge.net/files/MS-OXDSCLI/%5bMS-OXDSCLI%5d.pdf  
[3] https://datatracker.ietf.org/doc/html/rfc6186  
[4] https://datatracker.ietf.org/doc/html/rfc8314  
[5] Poddebniak, D., Ising, F., Böck, H., & Schinzel, S. (2021). Why {TLS} is better without {STARTTLS}: A Security Analysis of {STARTTLS} in the Email Context. In 30th USENIX Security Symposium (USENIX Security 21) (pp. 4365-4382).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: autoconfiguration_requestURL.PNG
Type: image/png
Size: 93994 bytes
Desc: not available
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20240704/f1c3d468/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRV_Records.PNG
Type: image/png
Size: 15348 bytes
Desc: not available
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20240704/f1c3d468/attachment-0001.png>

More information about the committee mailing list