MailKit STARTTLS Response Injection Vulnerability Allowing SASL Mechanism Downgrade

A STARTTLS response injection vulnerability has been identified in MailKit versions prior to 4.16.0. This vulnerability allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary. As a result, it enables the attacker to downgrade the SASL authentication mechanism, for example, by forcing the use of PLAIN instead of SCRAM-SHA-256. The issue arises because the internal read buffer in SmtpStream, ImapStream, and Pop3Stream is not flushed when the stream is upgraded to SslStream during the STARTTLS process. This oversight causes pre-TLS attacker-injected data to be incorrectly processed as trusted post-TLS responses.

Impact

Exploitation of this vulnerability allows for a SASL authentication mechanism downgrade, manipulating which authentication methods are available to the user. In the case of SMTP, this could force the use of less secure authentication methods, such as PLAIN or LOGIN, instead of more secure options like SCRAM-SHA-256. This vulnerability affects any application that uses MailKit with STARTTLS or StartTlsWhenAvailable, the default setting.

Reproduction

The vulnerability can be reproduced by creating a fake SMTP server that injects a crafted EHLO response into the STARTTLS reply. This can be done using a self-contained C# proof-of-concept that exploits the unflushed buffer issue during the STARTTLS upgrade, allowing the injected data to be processed as if it were a legitimate post-TLS response.

Remediation

Users should upgrade to MailKit version 4.16.0 or later, where this vulnerability has been patched.