Errands TLS Certificate Verification Vulnerability for CalDAV Servers

A vulnerability exists in the Errands task management application, specifically in versions prior to 46.2.10, where the application fails to verify TLS certificates for CalDAV servers. This flaw allows any certificate to be accepted, including those from malicious sources, without notifying the user. The issue arises because Errands disables certificate verification by default, a decision that the application's author cannot clearly justify. As a result, credentials sent via HTTP Basic authentication are exposed to potential interception, undermining the confidentiality that TLS is meant to provide.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks, where an attacker could intercept and potentially alter communications between the user and the CalDAV server. This could lead to the exposure of sensitive information, such as authentication credentials, which are commonly used for accessing email and other bundled services from the same provider.

Reproduction

The vulnerability can be reproduced by installing Errands version 46.2.8 or earlier and configuring a CalDAV account. During the synchronization process, the application will accept any TLS certificate without verification, including those from malicious actors.

Remediation

Users can update to Errands version 46.2.10 or later, where this vulnerability has been addressed by re-enabling proper TLS certificate verification.