Vulnerability Note VU#702777
UW-imapd fails to properly authenticate users when using CRAM-MD5
Overview
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.
Description
The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server. |
Impact
A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user's account. |
Solution
Upgrade or apply a patch Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Gentoo | Affected | - | 08 Feb 2005 |
| MandrakeSoft | Affected | 17 Jan 2005 | 08 Feb 2005 |
| Red Hat Inc. | Affected | 17 Jan 2005 | 25 Feb 2005 |
| SGI | Affected | 17 Jan 2005 | 17 Mar 2005 |
| TurboLinux | Affected | 17 Jan 2005 | 28 Apr 2005 |
| University of Washington | Affected | 14 Jan 2005 | 24 Jan 2005 |
| Apple Computer Inc. | Not Affected | 17 Jan 2005 | 18 Jan 2005 |
| Fujitsu | Not Affected | 17 Jan 2005 | 08 Feb 2005 |
| Hitachi | Not Affected | 17 Jan 2005 | 18 Jan 2005 |
| Microsoft Corporation | Not Affected | 17 Jan 2005 | 20 Jan 2005 |
| NEC Corporation | Not Affected | 17 Jan 2005 | 17 Mar 2005 |
| Sun Microsystems Inc. | Not Affected | 17 Jan 2005 | 24 Jan 2005 |
| Conectiva | Unknown | 17 Jan 2005 | 18 Jan 2005 |
| Cray Inc. | Unknown | 17 Jan 2005 | 18 Jan 2005 |
| Debian | Unknown | 17 Jan 2005 | 18 Jan 2005 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- None
Credit
Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
- CVE IDs: CAN-2005-0198
- Date Public: 04 Jan 2005
- Date First Published: 27 Jan 2005
- Date Last Updated: 28 Apr 2005
- Severity Metric: 6.08
- Document Revision: 20
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.