Bug 1062087 – VUL-0: CVE-2017-15042: go: smtp.PlainAuth susceptible to man-in-the-middle password harvesting

Bug 1062087 - (CVE-2017-15042) VUL-0: CVE-2017-15042: go: smtp.PlainAuth susceptible to man-in-the-middle password harvesting

(CVE-2017-15042)
Summary:	VUL-0: CVE-2017-15042: go: smtp.PlainAuth susceptible to man-in-the-middle pa...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Thomas Hipp
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192887/
Whiteboard:	CVSSv2:NVD:CVE-2017-15042:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-10-06 15:00 UTC by Alexander Bergmann
Modified:	2022-02-15 21:55 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2017-10-06 15:00:25 UTC

rh#1498867

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1.
RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on
network connections secured with TLS. The original implementation of
smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do
so. In 2013, upstream issue #5184, this was changed so that the server may
decide whether PLAIN is acceptable. The result is that if you set up a
man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise
that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and
password.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1498867
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15042
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15042.html
http://www.cvedetails.com/cve/CVE-2017-15042/
https://golang.org/cl/68210
https://golang.org/cl/68023
https://github.com/golang/go/issues/22134

Comment 1 Flavio Castelli 2017-10-06 15:03:07 UTC

Reassigning to Thomas who is charge of go packages.

Comment 2 Thomas Hipp 2017-10-11 15:13:01 UTC

All Go versions in IBS and OBS have been patched.

Comment 4 Swamp Workflow Management 2018-05-17 17:00:39 UTC

This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/610123 Factory / go1.10

Comment 12 Swamp Workflow Management 2018-12-15 08:40:46 UTC

This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/658307 Factory / go1.10
https://build.opensuse.org/request/show/658308 Factory / go1.11

Comment 14 Swamp Workflow Management 2018-12-17 15:41:07 UTC

This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/658934 15.0+42.3 / go1.11

Comment 15 Swamp Workflow Management 2019-02-27 11:00:45 UTC

This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/679777 Factory / go1.11

Comment 16 Swamp Workflow Management 2019-03-25 11:10:38 UTC

This is an autogenerated message for OBS integration:
This bug (1062087) was mentioned in
https://build.opensuse.org/request/show/688187 Factory / go1.12