Contact Details
No response
What happened?
(emailed on 24 May and then 6 June but no responses received)
Netmaker's Pro email sender unconditionally disables TLS certificate verification when connecting to the configured SMTP server. A comment in the source even acknowledges "In production this should be set to false" but the flag is hardcoded true. Any attacker with a network path between the Netmaker host and the SMTP server can intercept outgoing emails — which may carry password-reset tokens or user-invitation links — enabling account takeover without any prior authentication.
Vulnerable Code
File: pro/email/smtp.go:35
// This is only needed when SSL/TLS certificate is not valid on server.
// In production this should be set to false.
d.TLSConfig = &tls.Config{InsecureSkipVerify: true}The InsecureSkipVerify: true flag instructs the Go TLS stack to accept any certificate presented by the SMTP server, including self-signed or attacker-controlled ones. There is no runtime check, no configuration toggle, and no way for operators to re-enable verification.
Impact
- Credential interception: Password-reset emails contain single-use tokens. Intercepting them allows an attacker to reset any user's password and take over the account.
- Invitation link theft: New-user invitations sent via email can be intercepted before the legitimate recipient acts on them.
- Email tampering: An active MitM can modify email body/headers, e.g., replacing links with attacker-controlled ones.
Attack Scenario
- Attacker gains a position on the network path between the Netmaker server and its configured SMTP relay (e.g., corporate mail gateway, cloud SMTP service).
- Attacker presents a fraudulent TLS certificate for the SMTP server. Netmaker accepts it unconditionally.
- A user triggers a password-reset flow from the Netmaker dashboard.
- Attacker captures the reset-token URL from the email in transit, navigates to it first, sets a new password, and gains full account access.
CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Score: 6.5 (Medium)
Remediation
Remove the hardcoded InsecureSkipVerify: true (or set it to false). If self-signed SMTP certificates must be supported, expose an opt-in configuration variable and default it to false:
d.TLSConfig = &tls.Config{InsecureSkipVerify: servercfg.GetSMTPSkipTLSVerify()}Document that enabling skip-verify is unsafe and should only be used in isolated test environments.
Version
v1.6.0
What OS are you using?
No response
Relevant log output
Contributing guidelines
Contact Details
No response
What happened?
(emailed on 24 May and then 6 June but no responses received)
Netmaker's Pro email sender unconditionally disables TLS certificate verification when connecting to the configured SMTP server. A comment in the source even acknowledges "In production this should be set to false" but the flag is hardcoded
true. Any attacker with a network path between the Netmaker host and the SMTP server can intercept outgoing emails — which may carry password-reset tokens or user-invitation links — enabling account takeover without any prior authentication.Vulnerable Code
File:
pro/email/smtp.go:35The
InsecureSkipVerify: trueflag instructs the Go TLS stack to accept any certificate presented by the SMTP server, including self-signed or attacker-controlled ones. There is no runtime check, no configuration toggle, and no way for operators to re-enable verification.Impact
Attack Scenario
CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Score: 6.5 (Medium)
Remediation
Remove the hardcoded
InsecureSkipVerify: true(or set it tofalse). If self-signed SMTP certificates must be supported, expose an opt-in configuration variable and default it tofalse:Document that enabling skip-verify is unsafe and should only be used in isolated test environments.
Version
v1.6.0
What OS are you using?
No response
Relevant log output
Contributing guidelines