Net::IMAP STARTTLS Stripping Vulnerability

A vulnerability in the Net::IMAP library in Ruby allows a man-in-the-middle attacker to intercept and manipulate the STARTTLS command. This issue is present in versions 0.6.0 through 0.6.3, 0.5.0 through 0.5.13, 0.4.0 through 0.4.23, and 0.3.0 through 0.3.9. The vulnerability arises because the attacker can inject a false 'OK' response, tricking the client into believing that a secure TLS connection has been established when it has not. As a result, data can be transmitted in cleartext, exposing sensitive information.

Impact

Exploitation of this vulnerability bypasses TLS, leading to unencrypted transmission of data that could be intercepted by an attacker.

Reproduction

To reproduce this vulnerability, connect to a server using Net::IMAP and issue the STARTTLS command. A man-in-the-middle attacker can then intercept this command and inject a response indicating success, without actually establishing a secure connection. This can be done by sending a tagged 'OK' response before the client has finished sending the STARTTLS command, causing the client to incorrectly believe that the connection is secure.

Remediation

Upgrade to Net::IMAP versions 0.6.4, 0.5.14, 0.4.24, or 0.3.10, all of which include the necessary fix. After upgrading, verify that the TLS connection is active before transmitting sensitive data.