exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Fetchmail STARTTLS Denial Of Service

Fetchmail STARTTLS Denial Of Service
Posted Jun 7, 2011
Authored by Matthias Andree

Fetchmail suffers from a denial of service vulnerability in the STARTTLS protocol phases. Versions 5.9.9 up to and including 6.3.19 are affected.

tags | advisory, denial of service, protocol
advisories | CVE-2011-1947
SHA-256 | 1489e4cc4ce52c41a58894cd8f7579dfc567612fec359ebe3eb13209676c068f

Fetchmail STARTTLS Denial Of Service

Change Mirror Download
Hash: SHA1

fetchmail-SA-2011-01: Denial of service possible in STARTTLS mode

Topics: fetchmail denial of service in STARTTLS protocol phases

Author: Matthias Andree
Version: 1.0
Announced: 2011-06-06
Type: Unguarded blocking I/O can cause indefinite application hang
Impact: Denial of service
Danger: low

CVE Name: CVE-2011-1947
CVSS scores: 4.7: Base 6.3 (Impact 6.9 Exploitability 6.8) Temporal 4.7
This is calculated without Environmental Score.
URL: http://www.fetchmail.info/fetchmail-SA-2011-01.txt
Project URL: http://www.fetchmail.info/

Affects: fetchmail releases 5.9.9 up to and including 6.3.19

Not affected: fetchmail release 6.3.20 and newer

Corrected in: 2011-05-26 Git, among others, see commit

2011-05-29 fetchmail 6.3.20-rc3 tarball (for testing)

2011-06-06 fetchmail 6.3.20 release tarball

0. Release history

2011-05-30 0.1 first draft (visible in Git and through oss-security)
2011-06-06 1.0 release

1. Background

fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.

2. Problem description and Impact

Fetchmail version 5.9.9 introduced STLS support for POP3, version
6.0.0 added STARTTLS for IMAP. However, the actual S(TART)TLS-initiated
in-band SSL/TLS negotiation was not guarded by a timeout.

Depending on the operating system defaults as to TCP stream keepalive
mode, fetchmail hangs in excess of one week after sending STARTTLS were
observed if the connection failed without notifying the operating
system, for instance, through network outages or hard server crashes.

A malicious server that does not respond, at the network level, after
acknowledging fetchmail's STARTTLS or STLS request, can hold fetchmail
in this protocol state, and thus render fetchmail unable to complete the
poll, or proceed to the next server, effecting a denial of service.

SSL-wrapped mode on dedicated ports was unaffected by this problem, so
can be used as a workaround.

3. Solution

Install fetchmail 6.3.20 or newer.

The fetchmail source code is always available from

Distributors are encouraged to review the NEWS file and move forward to
6.3.20, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued. Several such
(long-standing) bugs were fixed through recent releases, and an erratum
notice for SASL authentication was issued.

Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
interface incompatibly.

4. Workaround

If supported by the server's configuration, fetchmail can be run in
ssl-wrapped rather than starttls mode. To that extent, the "ssl sslproto
ssl3" option must be configured (possibly replacing sslproto tls1 where
configured) to the rcfile, or "--ssl --sslproto ssl3" can be given on
the command line (where it applies to all poll configurations).

It is generally also advisable to enforce SSL certificate validation, by
either using --sslcertck on the command line, or using sslcertck in a
"default" configuration entry of the rcfile, or using sslcertck in
each of the relevant individual poll descriptions of the rcfile.

A. Copyright, License and Non-Warranty

(C) Copyright 2011 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-Noncommercial-No Derivative Works 3.0 Germany License.
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/de/ or send a letter to

Creative Commons
171 Second Street
Suite 300

Use the information herein at your own risk.

END of fetchmail-SA-2011-01
Version: GnuPG v2.0.16 (GNU/Linux)

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By