A man-in-the-middle-attack possibility was found in the way evolution handles the Secure / Multipurpose Internet Mail Extensions (S/MIME) mail messages. If the S/MIME email was sign, the email message subsequently modified, evolution would consider the S/MIME message signature to be valid even for such a modified message. An attacker could use this flaw to modify the emails (message integrity violation) between communicating part. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479
This issue does NOT affect the version of the evolution package, as shipped with Red Hat Enteprise Linux 3. This issue affects the versions of the evolution package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the evolution package, as shipped with Fedora releases of 9, 10 and devel.
PoC: Signer certificate: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=key.pem;att=1;bug=508479 Original message (with valid S/MIME signature): http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out;att=2;bug=508479 Modified message (S/MIME signature is also considered to be valid): http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=testmail.out2;att=3;bug=508479
Upstream bug report: http://bugzilla.gnome.org/show_bug.cgi?id=564465
Steps to reproduce: 1. Import the CA in the certificates store 2. Import the mail in an evolution folder
Investigated this today and posted my findings here: http://bugzilla.gnome.org/show_bug.cgi?id=564465#c3 But I really need to talk to someone familiar with the NSS API.
The signed-data blob actually contains a copy of the plaintext embedded inside of it, and it's over that that the signatures were generated. Changing a second copy of the plaintext doesn't invalidate that signature. If I'm reading the code right, it takes this into account and attempts to recompute the digests for the signed-data item using the plaintext which it will be displaying to the user. It overwrites the values in the signed-data item by calling NSS_CMSSignedData_SetDigests(). It looks like NSS_CMSSignedData_SetDigests() doesn't replace any already-computed or included digest values, and that's the root of the problem. Assuming that's the correct behavior in NSS, looping through the digest types, calling NSS_CMSSignedData_SetDigestValue() for each, seems to provide the expected result.
Matt's corrected me -- the existing code only attempts to set the digest in the signed-data item if it finds none.
This has been assigned CVE-2009-0547: Name: CVE-2009-0547 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0547 Assigned: 20090212 Reference: MLIST:[oss-security] 20090210 CVE Request -- evolution Reference: URL: http://openwall.com/lists/oss-security/2009/02/10/7 Reference: MISC: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508479 Reference: CONFIRM: http://bugzilla.gnome.org/show_bug.cgi?id=564465 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=484925 Reference: BID:33720 Reference: URL: http://www.securityfocus.com/bid/33720 Reference: SECUNIA:33848 Reference: URL: http://secunia.com/advisories/33848 Evolution 2.22.3.1 checks S/MIME signatures against a copy of the e-mail text within a signed-data blob, not the copy of the e-mail text displayed to the user, which allows remote attackers to spoof a signature by modifying the latter copy, a different vulnerability than CVE-2008-5077.
Created attachment 334127 [details] Newly created message for testing of revised patch.
Created attachment 334292 [details] Original S/MIME message. Original S/MIME e-mail message with valid signature.
Created attachment 334293 [details] Modified S/MIME e-mail message with invalid signature.
Created attachment 334294 [details] The CA certificate && private key to check the signatures against.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:0354 https://rhn.redhat.com/errata/RHSA-2009-0354.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2009-0355 https://rhn.redhat.com/errata/RHSA-2009:0355.html
evolution-data-server-2.24.5-4.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
evolution-data-server-2.22.3-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0354.html http://rhn.redhat.com/errata/RHSA-2009-0355.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2784 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2792