OfflineIMAP STARTTLS Enforcement Vulnerability Allowing STRIPTLS Man-in-the-Middle Attacks

A vulnerability exists in OfflineIMAP versions prior to 8.0.3, where the application fails to properly enforce STARTTLS when the server does not explicitly advertise its availability. This oversight can lead to STRIPTLS attacks, allowing a man-in-the-middle to intercept the connection and capture account credentials in cleartext. The issue arises because OfflineIMAP relies on the server's capability list instead of enforcing user-configured security settings.

Impact

Exploitation of this vulnerability allows for interception of credentials in cleartext, creating a risk of unauthorized account access.

Reproduction

To reproduce this vulnerability, configure OfflineIMAP to use STARTTLS and connect to a server that does not advertise STARTTLS support. The application will skip the encryption, leaving the connection unprotected and allowing credentials to be sent in plaintext.

Remediation

Users can upgrade to OfflineIMAP version 8.0.3 or later, where this vulnerability has been addressed.