Claws Mail contains two vulnerabilities whereby an attacker may be permitted to perform spoofing attacks, allowing for man-in-the-middle interception of potentially sensitive information. These issues are caused by plugins within Claws Mail, vCalendar and RSSyl, that do not properly verify SSL certificates.
Claws Mail 3.9.3 and possibly earlier versions
No Exploit Available
Because two plugins within Claws Mail do not properly verify SSL certificates, a remote attacker may spoof a mail server or similar server asset which Claws Mail is communicating with. By not verifying the SSL certificate properly, Claws Mail will continue to communicate with the spoofed server, possibly disclosing sensitive information to the attacker.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 33367 - Claws Mail 3.9.3 and Prior SSL Verification Issue (Zero-Day) - Windows
- 33368 - Claws Mail 3.9.3 and Prior SSL Verification Issue (Zero-Day) - Windows x86
- 33369 - Claws Mail 3.9.3 and Prior SSL Verification Issue (Zero-Day) - UNIX/Linux
There are no mitigations currently available. Avoid using Claws Mail plugins vCalendar and RSSyl, if possible.