The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability CVE-2016-0772

Python: TLS disabling in smtplib

Synthesis of the vulnerability

An attacker can make the creation of a TLS tunnel by the smtplib module of Python, in order to read sent mails.
Vulnerable software: Debian, Fedora, openSUSE, openSUSE Leap, Solaris, Python, RHEL, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this announce: 1/4.
Consequences of an intrusion: data reading, data flow.
Attacker's origin: LAN.
Creation date: 16/06/2016.
Références of this computer vulnerability: bulletinjul2016, CVE-2016-0772, DLA-1663-1, DLA-522-1, DLA-871-1, FEDORA-2016-105b80d1be, FEDORA-2016-13be2ee499, FEDORA-2016-2869023091, FEDORA-2016-34ca5273e9, FEDORA-2016-5c52dcfe47, FEDORA-2016-6c2b74bb96, FEDORA-2016-a0853405eb, FEDORA-2016-aae6bb9433, FEDORA-2016-b046b56518, FEDORA-2016-e37f15a5f4, FEDORA-2016-ef784cf9f7, openSUSE-SU-2016:1885-1, openSUSE-SU-2016:2120-1, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, SP-CAAAPSR, SPL-128812, SUSE-SU-2019:0223-1, USN-3134-1, VIGILANCE-VUL-19915.

Description of the vulnerability

The Python library includes a SMTP client.

This library enables a TLS tunnel. However, it does not check the status code of the STARTTLS command and accept to continue the SMTP session in plain text. An attacker who can hijack the traffic can insert an error after the STARTTLS command to disable the encryption.

An attacker can therefore make the creation of a TLS tunnel by the smtplib module of Python, in order to read sent mails.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.