CVE-2020-14954

Vulnerability

A STARTTLS response injection vulnerability exists in Mutt versions before 1.14.4 and NeoMutt versions before 2020-06-19, affecting IMAP, SMTP, and POP3 protocols. When a server sends a "begin TLS" response (e.g., A OK begin TLS\r\n for IMAP), the client reads any additional data appended after the \r\n and stores it in an internal buffer for later processing. This allows a man-in-the-middle attacker to inject arbitrary responses that will be processed in the TLS context [1][2].

Exploitation

An attacker positioned as a man-in-the-middle (MITM) between the client and the server can append arbitrary response data after the server's STARTTLS response. Because Mutt reads and buffers all data following the "begin TLS" line before establishing the TLS session, the attacker's injected responses are then evaluated by the client as if they were legitimate TLS-protected responses. No authentication or user interaction beyond normal email client operation is required to trigger the vulnerability [2].

Impact

A successful MITM attacker can inject arbitrary responses into the IMAP, SMTP, or POP3 sessions, leading to potential information disclosure, data manipulation, or other unauthorized actions within the mail protocol context. The attacker can effectively impersonate the server or alter the protocol flow, compromising the confidentiality and integrity of email communications [2][3].

Mitigation

The vulnerability is fixed in Mutt version 1.14.4, released on June 19, 2020, via commit c547433c [2][4]. The fix clears the CONNECTION input buffer in mutt_ssl_starttls() before initiating TLS to discard any data injected after the STARTTLS response. NeoMutt fixed the issue in the June 19, 2020 release. Users should update to these versions immediately. Ubuntu published a security notice (USN-4403-1) for supported releases [3]. No workarounds are documented; upgrading is the only mitigation.