CVE-2017-15042

golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn't advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.

Existe un problema de texto en claro no planeado en la versión 1.8.4 y versiones 1.9.x anteriores a la 1.9.4 de Go. La RFC 4954 requiere que durante la autenticación SMTP, el esquema de autenticación PLAIN solo se use en conexiones de red protegidas con TLS. La implementación original de smtp.PlainAuth en Go 1.0 aseguraba el cumplimiento de este requisito y se documentó que esto se llevase a cabo. En 2013, problema upstream #5184, esto se modificó para que el servidor pudiera decidir si se acepta PLAIN. El resultado es que si un usuario crea un servidor SMTP Man-in-the-Middle (MitM) que no anuncia STARTTLS pero sí anuncia que la autenticación PLAIN es OK, la implementación smtp.PlainAuth envía el nombre de usuario y contraseña.

It was found that smtp.PlainAuth authentication scheme in Go did not verify the TLS requirement properly. A remote man-in-the-middle attacker could potentially use this flaw to sniff SMTP credentials sent by a Go application.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-05 CVE Reserved
2017-10-05 CVE Published
2023-05-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-300: Channel Accessible by Non-Endpoint
CWE-319: Cleartext Transmission of Sensitive Information

CAPEC

References (10)

URL	Tag	Source
http://www.securityfocus.com/bid/101197	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/golang/go/issues/22134	2019-10-03
https://golang.org/cl/68023	2019-10-03

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2017:3463	2019-10-03
https://access.redhat.com/errata/RHSA-2018:0878	2019-10-03
https://golang.org/cl/68210	2019-10-03
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ	2019-10-03
https://security.gentoo.org/glsa/201710-23	2019-10-03
https://access.redhat.com/security/cve/CVE-2017-15042	2018-04-10
https://bugzilla.redhat.com/show_bug.cgi?id=1498867	2018-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				<= 1.8.3 Search vendor "Golang" for product "Go" and version " <= 1.8.3"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				1.9 Search vendor "Golang" for product "Go" and version "1.9"		-		Affected