Discovered: 2002-09-08, Ximian has been informed on 2002-09-09. Impact: medium, if SSL (IMAPS, SMTPS, POP3S) used none, if not Affected: Ximian Evolution 1.0.x and earlier Description: Due to missing SSL validation code, Evolution's camel component is vulnerable to common SSL man-in-the-middle attacks, independent of the SSL issues currently in discussion. Certificates accepted once are no longer checked by camel. The behavior described below has been verified using both self-signed certificates as well as a regular valid Thawte-signed certificate (but regarded invalid by camel) for the server and a self-signed certificate for the attacker. As the valid certificate has been regarded invalid, it is also needed to be checked out with a certificate from valid oder valid-made CA. Solution: According to Ximian, Evolution 1.1.x (beta of upcoming 1.2 branch) is no longer affected, so those people who would like to trust in SSL connections should consider upgrading. Ximian has released Evolution 1.1.1. Exploitation Details: Imagine e.g. an IMAP connection over SSL. After a connection breakdown, Evolution quietly re-establishes the IMAPS connection on next access - but it seems to not check the identity of the peer. During the time period no connection is established, the certificate is replaced, e.g. by a SSL m-i-t-m attack, by the attacker's self-signed certificate, allowing him to read and even modify all data transfered. The attacker might also setup SSL m-i-t-m filters first and then drop/kill the connection still established. Evolution re-establishes the connection without showing any warning dialog. Using POP3 and SMTPS over the same certificates (and host) does not postulate any validation as well. Regards, // Veit Wahlich
