CVE-2021-39272

Vulnerability

Fetchmail versions before 6.4.22 contain a vulnerability in which the client fails to enforce STARTTLS session encryption under certain circumstances [2]. Specifically, when connecting to an IMAP server that returns a PREAUTH response, fetchmail bypasses the TLS negotiation and continues communication over an unencrypted connection [1][2]. This issue was discovered as part of the "NO STARTTLS" research presented at USENIX Security 21 [1].

Exploitation

An attacker with a Meddler-in-the-Middle (MitM) position between the fetchmail client and the IMAP server can trigger the vulnerability by sending a PREAUTH response before the STARTTLS handshake completes [1]. The attacker does not need authentication or prior write access to the network segment. The expected TLS upgrade is skipped, and all subsequent commands and data (including login credentials) are transmitted in plaintext [1][2].

Impact

If exploited, fetchmail sends email retrieval commands and authentication credentials over an unencrypted connection [2]. A MitM attacker can read the plaintext traffic, potentially capturing sensitive information such as usernames and passwords for the mail server, as well as the content of fetched emails [1][2]. The compromise affects confidentiality; the attacker gains no direct code execution or privilege escalation on the fetchmail host.

Mitigation

The vulnerability is fixed in fetchmail version 6.4.22, released in August 2021 [2]. All users should upgrade to at least this version. Fetchmail 6.3.x and older are end-of-life and no longer receive security updates; users of those branches must upgrade to a supported release [3]. No workaround is available for unfixed versions. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.