[BREAKING] Linux iSync vulnerable to MITM attacks

The Isync application is a command line application which synchronizes selected mailboxes. A new vulnerability has been found in the iSync application.

This vulnerability allows cybercriminals to perform a man in the middle attack on the iSync application.

The iSync application does not perform a control, to check if the provided server hostname matches the domain name in the provided Common Name or subjectAltName field of the X.509 certificates.

isync vulnerability

The vulnerability allows hackers to perform a man in the middle attack by spoofing the SSL servers via arbitrary valid certificates. Fedora, Gentoo, Openwall published a report on the vulnerable iSync application.

This means that any host with a valid certificate could pretend to be
the wanted host, as long as the certificate store contained the relevant
root certificate. This could be used for man-in-the-middle attacks, which
could be used to steal passwords.

Upgrade to the latest version of iSync.

The update can be installed with the “yum” update program. Use su -c ‘yum update isync’ at the command line. For more information, refer to “Managing Software with yum”, available at http://docs.fedoraproject.org/yum/.