CLD-188 Details

Other IDs this deficiency may be known by:

CVE ID None
Other ID(s) Mailsploit, fixed-in-52.5.2

Basic Information:

Affected Package(s) thunderbird
Deficiency Type SECURITY
Date Created 2017-12-22 19:56:33
Date Last Modified 2017-12-22 21:17:44

Version Specific Information:

Cucumber 1.0 i686fixed in thunderbird-52.5.2-i686-1
Cucumber 1.0 x86_64fixed in thunderbird-52.5.2-x86_64-1

Cucumber 1.1 i686 fixed in thunderbird-52.5.2-i686-1
Cucumber 1.1 x86_64 fixed in thunderbird-52.5.2-x86_64-1

Details:

============ A NOTE ABOUT MOZILLA'S RESPONSE TO THIS VULNERABILITY =============

Mozilla has known about this vulnerability for at least three months prior to
December 5, 2017. They claimed that this was a server side problem and stated
they would not fix the vulnerability. It was only more than two weeks after the
full technical details of the vulnerability were made public that the
begrudgingly issued a patch for it.

If you would like to contact the Mozilla Security Team (the secuirty team that
is in charge of Thunderbird) regarding their response, they can be reached via
email at security@mozilla.org or the Mozilla Foundation can be reached via
snail mail at:

	Mozilla Foundation
	1981 Landings Drive
	Building K
	Mountain View, CA 94043-0801
	USA

Source: https://www.mailsploit.com/index

=================================== Overview ===================================

From https://www.mailsploit.com/index:

TL;DR: Mailsploit is a collection of bugs in email clients that allow effective
sender spoofing and code injection attacks. The spoofing is not detected by
Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing
protection mechanisms such as DMARC (DKIM/SPF) or spam filters.

Bugs were found in over 30 applications, including prominent ones like Apple
Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email
clients, Yahoo! Mail, ProtonMail and others.

In addition to the spoofing vulnerability, some of the tested applications also
proved to be vulnerable to XSS and code injection attacks.

================================ Initial Report ================================

This vulnerability was originally discovered by Sabri Haddouche. The initial
report can be found at https://www.mailsploit.com/index; it is too lengthy to
post here.

============================ Additional Information ============================

From https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/:

This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
detected by the "Cure53" audit. For details and various other security fixes see
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird52.5.2.

================================= Our Analysis =================================

----- Affected Products -----
Versions of Thunderbird prior to 52.5.2 are vulnerable to this vulnerability.
This includes Thunderbird as originally packaged in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability allows any arbitrary attacker to spoof the "From" field in
an email; the attacker can make an email appear to be from any email address of
his choosing (such as potus@whitehouse.gov). Furthermore, these spoofed emails
get past most spam filters.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by upgrading to Thunderbird 52.5.2.

================================= Our Solution =================================

We have upgraded to Thunderbird 52.5.2.