Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

alpaca mitigations #5061

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

alpaca mitigations #5061

wants to merge 11 commits into from

Conversation

elliefm
Copy link
Contributor

@elliefm elliefm commented Oct 2, 2024

Adds the following mitigations that prevent Cyrus IMAP servers being used in Application Layer Protocol Confusion (ALPACA) attacks, particularly against web browsers:

  • connection is dropped after excessive consecutive basic syntax errors ("Invalid tag", "Null command", "Unrecognized command")
  • tags cannot contain <> characters (prevents reflecting attacker-supplied HTML content in IMAP responses)
  • tags cannot contain : characters (HTTP request header lines now count as basic syntax errors)
  • the first command's tag cannot be one of the HTTP request methods that accepts a request body (connections from tricked web browsers will look like this)
  • connection is dropped if the first command has an invalid tag, including the first command after STARTTLS is established

Fixes #5046

@elliefm
Copy link
Contributor Author

elliefm commented Oct 2, 2024

(details subject to change after we get some data about what tags IMAP clients in the wild are sending to our servers)

@elliefm
Copy link
Contributor Author

elliefm commented Nov 11, 2024

Needs #5126 to land first

@elliefm
Alpaca: suite for testing ALPACA countermeasures
d235bc6
@elliefm
imapd: drop connection after excessive syntax errors
bc6b255
@elliefm
imparse: 0x1f is not a valid atom char
f055643
@elliefm
imparse: add imparse_istag
3af57f5
@elliefm
imparse: convert imparse_istag to use lookup table
bda6b78 
since it's about to get more complicated than just isatom
@elliefm
imparse: forbid angle brackets in imap tags
68948ae 
reduces surface area for cross-protocol reflection attacks against
web browsers
@elliefm
imparse: forbid colon in imap tags
c5bd967
@elliefm
imapd: ENABLE requires login
06e0f3b 
It already did, but this early short-circuit was overlooked at the time

(This isn't strictly related to this PR, but while I'm in here anyway...)
@elliefm
imapd: fix some #endif comments
e9ce041
@elliefm
imparse: reject HTTP methods as initial tag only
1075a9d
@elliefm
imapd: drop connection if bad tag on first command
fd4f32d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

countermeasures to ALPACA attack?
1 participant
@elliefm