CVE-2021-26911
📋 TL;DR
CVE-2021-26911 is a missing SSL certificate validation vulnerability in Canary Mail's IMAP implementation when using STARTTLS mode. This allows man-in-the-middle attackers to intercept and potentially modify email communications between the Canary Mail client and IMAP servers. Users of Canary Mail versions before 3.22 on any platform are affected.
💻 Affected Systems
- Canary Mail
📦 What is this software?
Canary Mail by Canarymail
Canary Mail by Canarymail
Mailcore2 by Libmailcore
⚠️ Risk & Real-World Impact
Worst Case
Attackers can perform full man-in-the-middle attacks, intercepting all email communications including login credentials, reading all email content, and potentially injecting malicious emails or modifying legitimate communications.
Likely Case
Targeted attacks in insecure networks (public WiFi, compromised routers) leading to email interception and credential theft.
If Mitigated
Limited impact if using VPNs, trusted networks, or alternative secure email protocols with proper certificate validation.
🎯 Exploit Status
Standard SSL stripping/man-in-the-middle techniques can exploit this vulnerability. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.22 and later
Vendor Advisory: https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
Restart Required: Yes
Instructions:
1. Open Canary Mail app store (App Store for iOS/macOS, Google Play for Android, Microsoft Store for Windows). 2. Check for updates. 3. Install version 3.22 or later. 4. Restart the application.
🔧 Temporary Workarounds
Use SSL/TLS instead of STARTTLS
allConfigure IMAP connections to use SSL/TLS encryption directly instead of STARTTLS upgrade
Use alternative email protocols
allSwitch to Exchange ActiveSync or other supported protocols that don't use IMAP STARTTLS
🧯 If You Can't Patch
- Avoid using Canary Mail on untrusted networks (public WiFi, hotel networks)
- Use VPN when connecting to email services to encrypt all network traffic
🔍 How to Verify
Check if Vulnerable:
Check Canary Mail version in app settings. If version is below 3.22 and you use IMAP with STARTTLS, you are vulnerable.Check Version:
Open Canary Mail → Settings/Preferences → About → Check version numberVerify Fix Applied:
Verify Canary Mail version is 3.22 or higher in app settings. Test IMAP STARTTLS connections to confirm certificate validation is working.📡 Detection & Monitoring
Log Indicators:
- Failed SSL certificate validation warnings that should appear but don't
- Unexpected certificate changes in IMAP connections
Network Indicators:
- Unencrypted IMAP traffic after STARTTLS negotiation
- SSL certificate validation failures that client ignores
SIEM Query:
network.protocol:imap AND (ssl.validation:failed OR ssl.certificate:invalid) AND NOT action:blocked🔗 References
- http://www.openwall.com/lists/oss-security/2021/02/17/3
- https://apps.apple.com/us/app/canary-mail/id1236045954
- https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
- https://census-labs.com/news/category/advisories/
- https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018
- https://www.openwall.com/lists/oss-security/2021/02/17/3
- http://www.openwall.com/lists/oss-security/2021/02/17/3
- https://apps.apple.com/us/app/canary-mail/id1236045954
- https://census-labs.com/news/2021/02/17/canary-mail-app-missing-certificate-validation-check-on-imap-starttls/
- https://census-labs.com/news/category/advisories/
- https://github.com/canarymail/mailcore2/commit/45acb4efbcaa57a20ac5127dc976538671fce018
- https://www.openwall.com/lists/oss-security/2021/02/17/3
