search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cyrus IMAPd buffer overflow vulnerability

Vulnerability Note VU#336053

Original Release Date: 2009-09-09 | Last Revised: 2009-09-11

Overview

The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.

Description

The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server.

Impact

An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user's mail, or send spoofed email messages.

Solution

Update

The Cyrus IMAP team has released an update to address this issue. See http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html for more information.


Disable SIEVE

Administrators who compile Cyrus IMAP from source can use the --disable-sieve option to mitigate this issue.

Vendor Information

336053
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  September 04, 2009 Updated:  September 10, 2009

Statement Date:   September 09, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

http://www.us.debian.org/security/2009/dsa-1881

Vendor References

SUSE Linux

Notified:  September 04, 2009 Updated:  September 10, 2009

Statement Date:   September 10, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

All SUSE Linux products are affected by this issue. Fixed packages will be available soon and can be installed via YaST.

The SCO Group

Notified:  September 04, 2009 Updated:  September 08, 2009

Statement Date:   September 08, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  September 04, 2009 Updated:  September 11, 2009

Statement Date:   September 09, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  September 04, 2009 Updated:  September 10, 2009

Statement Date:   September 10, 2009

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  September 04, 2009 Updated:  September 10, 2009

Statement Date:   September 10, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Openwall GNU/*/Linux is not affected. We do not ship Cyrus IMAPd.

QNX Software Systems Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  September 04, 2009 Updated:  September 05, 2009

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 40 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-2632
Severity Metric: 0.56
Date Public: 2009-09-07
Date First Published: 2009-09-09
Date Last Updated: 2009-09-11 13:15 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.