Vulnerability Note VU#702777
UW-imapd fails to properly authenticate users when using CRAM-MD5
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.
The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server.
A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user's account.
Upgrade or apply a patch
Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo||Affected||-||08 Feb 2005|
|MandrakeSoft||Affected||17 Jan 2005||08 Feb 2005|
|Red Hat Inc.||Affected||17 Jan 2005||25 Feb 2005|
|SGI||Affected||17 Jan 2005||17 Mar 2005|
|TurboLinux||Affected||17 Jan 2005||28 Apr 2005|
|University of Washington||Affected||14 Jan 2005||24 Jan 2005|
|Apple Computer Inc.||Not Affected||17 Jan 2005||18 Jan 2005|
|Fujitsu||Not Affected||17 Jan 2005||08 Feb 2005|
|Hitachi||Not Affected||17 Jan 2005||18 Jan 2005|
|Microsoft Corporation||Not Affected||17 Jan 2005||20 Jan 2005|
|NEC Corporation||Not Affected||17 Jan 2005||17 Mar 2005|
|Sun Microsystems Inc.||Not Affected||17 Jan 2005||24 Jan 2005|
|Conectiva||Unknown||17 Jan 2005||18 Jan 2005|
|Cray Inc.||Unknown||17 Jan 2005||18 Jan 2005|
|Debian||Unknown||17 Jan 2005||18 Jan 2005|
CVSS Metrics (Learn More)
Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CAN-2005-0198
- Date Public: 04 Jan 2005
- Date First Published: 27 Jan 2005
- Date Last Updated: 28 Apr 2005
- Severity Metric: 6.08
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.