MAILSTORE-SA-2020-01: Missing TLS/SSL Certificate Validation in Outlook Add-in 

Affected Products
  MailStore Outlook Add-in up to 12.1.2
  E-Mail Archive Outlook Add-in up 12.1.2

References
   CVE-2020-11806: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11806
   CWE-295: https://cwe.mitre.org/data/definitions/295.html

Summary:
   The login process of the affected products does not validate the TLS/SSL certificate presented by the server.

Effect:
   To exploit a vulnerable Outlook Add-in, the user must use Standard Authentication as login method, so that username and password are transferred over the network.

   An attacker may then be able to retrieve the login username and password of the user by intercepting the network connection, known as man-in-the-middle attack. The attacker does not need to be in the possession of a valid certificate, and thus can use an arbitrary certificate including a self-signed one.

   If Windows Authentication, based on Kerberos tokens, is used as login method, the potential risk primarily depends on the defined security policies for the Kerberos tokens.

Attack type:
   Remote

Attack vector(s):
   * Man-in-the-middle attack

Solution:
   Update Outlook Add-in to version 12.1.3 or higher

Disclosure Timeline:
   2020-04-08 Potential vulnerability discovered during development
   2020-04-09 Bug report defined as vulnerability report
   2020-04-14 CVE number requested
   2020-04-16 CVE number assigned
   2020-04-23 Software update published
   2020-04-23 Public disclosure