CVE-2020-14154

Vulnerability

In Mutt versions prior to 1.14.3, when using GnuTLS for TLS connections, the certificate verification prompt allows the user to reject an expired intermediate certificate. However, due to a bug, the rejection does not abort the TLS handshake; instead, the connection proceeds without the expected security checks. This issue affects all Mutt versions before 1.14.3 that are compiled with GnuTLS support [1][3].

Exploitation

An attacker in a position to intercept network traffic (man-in-the-middle) can present an expired intermediate certificate during the TLS handshake. If the user attempts to connect to a mail server (IMAP, POP3, or SMTP) and is prompted to reject the expired certificate, the user's rejection is ignored by the buggy code, and the connection continues. No additional authentication or user interaction beyond the standard prompt is required; the attacker simply needs to serve a certificate chain containing an expired intermediate [3].

Impact

Successful exploitation allows a man-in-the-middle attacker to intercept, read, or modify email traffic without the user's knowledge, as the TLS connection is established despite the user's explicit rejection of the expired certificate. This breaks the trust model of TLS, potentially leading to disclosure of sensitive email content and credentials (though credentials themselves may not be directly exposed) [2][3].

Mitigation

The vulnerability is fixed in Mutt version 1.14.3, released on June 14, 2020 [3]. Users should upgrade to this version or later. Distributions such as Ubuntu (USN-4401-1) and Gentoo (GLSA 202007-57) have also released updated packages [2][4]. No workaround is available; updating Mutt is the recommended mitigation.