Bug 1172906 (CVE-2020-14154)

Summary: VUL-0: CVE-2020-14154: mutt,neomutt: expired certs not properly rejected with GnuTLS
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, atoptsoglou, dsterba, jpupava, kai.liu, meissner, werner, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/261484/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2020-06-15 06:56:26 UTC 
Announced by upstream. No CVEs AFAICS

I've just released version 1.14.3.   Instructions for downloading are 
available at <http://www.mutt.org/download.html>, or the tarball can be 
directly downloaded from <http://ftp.mutt.org/pub/mutt/>.   Please take 
the time to verify the signature file against my public key.

This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack.   No credentials 
are exposed, but could result in unintended emails being "saved" to an 
attacker's server.   The $ssl_starttls quadoption is now used to check 
for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster 
University of Applied Sciences for reporting this issue, and their help 
in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. 
"Rejecting" an expired intermediate cert did not terminate the 
connection.   Thanks to @henk on IRC for reporting the issue.
Comment 1 Wolfgang Frisch 2020-06-15 15:28:37 UTC 
*** Bug 1172935 has been marked as a duplicate of this bug. ***
Comment 2 Wolfgang Frisch 2020-06-15 15:29:42 UTC 
CVE-2020-14093

Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a
PREAUTH response. STARTTLS is not allowed in the Authenticated state, so previously Mutt would implicitly mark the connection as authenticated and skip any
encryption checking/enabling. No credentials are exposed, but it does allow messages to be sent to an attacker, via postpone or fcc'ing for instance.

References:
https://gitlab.com/muttmua/mutt/-/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093
Comment 3 Wolfgang Frisch 2020-06-15 15:29:56 UTC 
SUSE:SLE-10-SP3:Update   mutt      Affected
SUSE:SLE-11:Update       mutt      Affected
SUSE:SLE-12:Update       mutt      Affected
SUSE:SLE-15:Update       mutt      Affected
Comment 4 Wolfgang Frisch 2020-06-16 07:30:56 UTC 
CVE-2020-14154

Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS
certificate prompt, the user rejects an expired intermediate certificate.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14154
http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
Comment 13 Dr. Werner Fink 2020-06-19 11:15:15 UTC 
The submits have to be tested to make sure that SSL/TLS is still working
Comment 15 Jozef Pupava 2020-06-23 09:29:17 UTC 
(In reply to Dr. Werner Fink from comment #13)
> The submits have to be tested to make sure that SSL/TLS is still working

With the update SSL/TLS does not work, with ssl_starttls = yes

possible problem line 181 in  mutt-1.10.1-backport-mutt_ssl_gnutls-1.14.3.diff

# echo -e "Hello,\nthis is message from admin." | mutt -s "Hello from openQA" -- nimda@localhost
gnutls_priority_set_direct(֦!�NORMAL:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0): The request is invalid.
Could not negotiate TLS connection
Could not send the message.
Comment 16 Marcus Meissner 2020-06-23 09:37:04 UTC 
I think this part of the patch should not have been removed:

+-  priority[0] = 0;

I think this removed line causes the weird characters in front of the string
Comment 17 Dr. Werner Fink 2020-06-24 05:56:06 UTC 
(In reply to Marcus Meissner from comment #16)
> I think this part of the patch should not have been removed:
> 
> +-  priority[0] = 0;
> 
> I think this removed line causes the weird characters in front of the string

Thanks for spotting!(In reply to Marcus Meissner from comment #16)
Comment 20 OBSbugzilla Bot 2020-06-24 15:50:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1172906) was mentioned in
https://build.opensuse.org/request/show/816866 Factory / mutt
Comment 21 Swamp Workflow Management 2020-06-26 10:17:58 UTC 
SUSE-SU-2020:1771-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172906,1172935,1173197
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    mutt-1.10.1-3.8.1
SUSE Linux Enterprise Server 15-LTSS (src):    mutt-1.10.1-3.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    mutt-1.10.1-3.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mutt-1.10.1-3.8.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    mutt-1.10.1-3.8.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    mutt-1.10.1-3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2020-06-29 13:13:10 UTC 
SUSE-SU-2020:1794-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172906,1172935,1173197
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    mutt-1.10.1-55.11.1
SUSE OpenStack Cloud 8 (src):    mutt-1.10.1-55.11.1
SUSE OpenStack Cloud 7 (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP4 (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mutt-1.10.1-55.11.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mutt-1.10.1-55.11.1
SUSE Enterprise Storage 5 (src):    mutt-1.10.1-55.11.1
HPE Helion Openstack 8 (src):    mutt-1.10.1-55.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-06-29 22:18:21 UTC 
openSUSE-SU-2020:0915-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172906,1172935,1173197
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Sources used:
openSUSE Leap 15.2 (src):    mutt-1.10.1-lp152.3.3.1
Comment 24 Swamp Workflow Management 2020-06-30 13:12:43 UTC 
SUSE-SU-2020:14414-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172906,1172935,1173197
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    mutt-1.5.17-42.51.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    mutt-1.5.17-42.51.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mutt-1.5.17-42.51.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mutt-1.5.17-42.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Alexandros Toptsoglou 2020-07-13 14:41:30 UTC 
Done
Comment 26 Andreas Stieger 2020-11-23 17:29:03 UTC 
These did not get fixed for neomutt
Comment 27 OBSbugzilla Bot 2020-11-25 20:40:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1172906) was mentioned in
https://build.opensuse.org/request/show/850817 15.1+15.2 / neomutt
Comment 28 Swamp Workflow Management 2020-11-30 23:15:50 UTC 
openSUSE-SU-2020:2127-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    neomutt-20201120-lp152.2.3.1
openSUSE Leap 15.1 (src):    neomutt-20201120-lp151.2.3.1
Comment 29 Swamp Workflow Management 2020-12-04 14:15:24 UTC 
openSUSE-SU-2020:2157-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    neomutt-20201120-bp151.3.3.1
Comment 30 Swamp Workflow Management 2020-12-04 14:19:41 UTC 
openSUSE-SU-2020:2158-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1172906,1172935,1173197,1179035,1179113
CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    neomutt-20201120-bp152.2.3.1
Comment 31 Marcus Meissner 2021-08-23 13:53:10 UTC 
released