Bug 1980128 (CVE-2021-32066) - CVE-2021-32066 ruby: StartTLS stripping vulnerability in Net::IMAP
Summary: CVE-2021-32066 ruby: StartTLS stripping vulnerability in Net::IMAP
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-32066
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1980567 1980568 1980569 1980570 1980571 1980830 1980831 1980832 1980833 1980834 1980835 1980836 1981779 1981780 1986813 1995173 1996668 2053031 2053032 2053033 2053034 2053196 2057434
Blocks: 1980129
TreeView+ depends on / blocked
 
Reported: 2021-07-07 20:56 UTC by Pedro Sampaio
Modified: 2022-04-17 21:29 UTC (History)
19 users (show)

Fixed In Version: ruby 3.0.2, ruby 2.7.4, ruby 2.6.8, rubygem-net-imap 0.2.2
Doc Type: If docs needed, set a value
Doc Text:
Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection to an IMAP server and subsequently eavesdrop on or modify data sent over the plain text connection.
Clone Of:
Environment:
Last Closed: 2021-08-05 19:07:06 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3130 0 None None None 2021-08-11 04:55:57 UTC
Red Hat Product Errata RHBA-2021:4018 0 None None None 2021-10-28 01:19:10 UTC
Red Hat Product Errata RHBA-2022:0593 0 None None None 2022-02-22 12:52:04 UTC
Red Hat Product Errata RHSA-2021:3020 0 None None None 2021-08-05 14:53:43 UTC
Red Hat Product Errata RHSA-2021:3559 0 None None None 2021-09-20 07:58:50 UTC
Red Hat Product Errata RHSA-2021:3982 0 None None None 2021-10-25 20:51:06 UTC
Red Hat Product Errata RHSA-2022:0543 0 None None None 2022-02-16 11:34:46 UTC
Red Hat Product Errata RHSA-2022:0544 0 None None None 2022-02-16 11:35:27 UTC
Red Hat Product Errata RHSA-2022:0581 0 None None None 2022-02-21 10:11:39 UTC
Red Hat Product Errata RHSA-2022:0582 0 None None None 2022-02-21 10:12:34 UTC
Red Hat Product Errata RHSA-2022:0672 0 None None None 2022-02-24 15:36:54 UTC
Red Hat Product Errata RHSA-2022:0708 0 None None None 2022-02-28 18:56:51 UTC

Description Pedro Sampaio 2021-07-07 20:56:43 UTC
Net::IMAP does not raise an exception when StartTLS fails with an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a “StartTLS stripping attack.”

References:

https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/

Comment 2 Tomas Hoger 2021-07-08 21:34:18 UTC
Upstream commit in Ruby:

https://git.ruby-lang.org/ruby.git/commit/?id=e2ac25d0eb66de99f098d6669cf4f06796aa6256

Note that Ruby 3.1 will no longer include Net::IMAP in its standard library, but will rather bundle net-imap gem.  The fix for this issue in the net-imap repo is:

https://github.com/ruby/net-imap/commit/adba6f0c3e5c5607c4822b9120322eb7e9a77891

Fixed in net-imap 0.2.2.

Comment 3 Tomas Hoger 2021-07-08 21:34:50 UTC
HackerOne report with additional details:

https://hackerone.com/reports/1178562

Comment 4 Tomas Hoger 2021-07-08 21:39:10 UTC
Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980570]


Created ruby:2.5/ruby tracking bugs for this issue:

Affects: fedora-34 [bug 1980571]


Created ruby:2.6/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980567]


Created ruby:2.7/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980568]


Created ruby:master/ruby tracking bugs for this issue:

Affects: fedora-all [bug 1980569]

Comment 5 Tomas Hoger 2021-07-08 21:41:05 UTC
The support for the STARTTLS was added to Net::IMAP in net-imap 0.1.0 / ruby 1.9.0.  Ruby versions prior to 1.9.0 are not affected by this issue.

Comment 9 Yadnyawalk Tale 2021-07-22 11:13:57 UTC
Red Hat CloudForms 5.11 does not ship Ruby or RubyGem net-imap and thus not affected by the flaw. Ruby in the product consumed by respective RHEL repo.

Comment 11 errata-xmlrpc 2021-08-05 14:53:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3020 https://access.redhat.com/errata/RHSA-2021:3020

Comment 12 Product Security DevOps Team 2021-08-05 19:07:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32066

Comment 13 errata-xmlrpc 2021-09-20 07:58:48 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3559 https://access.redhat.com/errata/RHSA-2021:3559

Comment 18 errata-xmlrpc 2021-10-25 20:51:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3982 https://access.redhat.com/errata/RHSA-2021:3982

Comment 19 errata-xmlrpc 2022-02-16 11:34:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0543 https://access.redhat.com/errata/RHSA-2022:0543

Comment 20 errata-xmlrpc 2022-02-16 11:35:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0544 https://access.redhat.com/errata/RHSA-2022:0544

Comment 21 errata-xmlrpc 2022-02-21 10:11:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0581 https://access.redhat.com/errata/RHSA-2022:0581

Comment 22 errata-xmlrpc 2022-02-21 10:12:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0582 https://access.redhat.com/errata/RHSA-2022:0582

Comment 23 errata-xmlrpc 2022-02-24 15:36:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0672 https://access.redhat.com/errata/RHSA-2022:0672

Comment 24 errata-xmlrpc 2022-02-28 18:56:48 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0708 https://access.redhat.com/errata/RHSA-2022:0708


Note You need to log in before you can comment on or make changes to this bug.