Mutt: neomutt: to and cc email header fields are not protected by cryptographic signing

Vulnerability

In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing. This means that an attacker who intercepts a message can modify these headers without invalidating the signature. The vulnerability affects all versions of mutt and neomutt that support cryptographic signing (e.g., S/MIME or PGP) and do not include the headers in the signed data. [1][2]

Exploitation

An attacker with network interception capabilities (e.g., on the same network or controlling a mail relay) can capture the email, alter the To or Cc fields to include their own email address, and forward the message to the intended recipients. The attacker does not need to break the cryptographic signature; they only modify the unsigned headers. The recipients may see the modified headers, but the signature on the body remains valid, potentially leading to false trust. [1][2]

Impact

Successful exploitation allows the attacker to become a recipient of the email, thereby gaining access to the message content. This compromises the confidentiality of the communication. No other impacts (integrity, availability) are described in the available sources. [1][2]

Mitigation

As of the publication date (2024-11-12), no patched version of mutt or neomutt has been released to address this issue. The vulnerability is inherent in how these clients handle signed emails; a fix would require including the To and Cc headers in the signed data. Users should monitor the respective projects for updates and consider manual verification of email headers as a workaround. [1][2]