Vulnerability Note VU#702777
UW-imapd fails to properly authenticate users when using CRAM-MD5
Overview
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.
Description
The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server. |
Impact
A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user's account. |
Solution
Upgrade or apply a patch Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details. |
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Gentoo | Affected | - | 08 Feb 2005 |
MandrakeSoft | Affected | 17 Jan 2005 | 08 Feb 2005 |
Red Hat Inc. | Affected | 17 Jan 2005 | 25 Feb 2005 |
SGI | Affected | 17 Jan 2005 | 17 Mar 2005 |
TurboLinux | Affected | 17 Jan 2005 | 28 Apr 2005 |
University of Washington | Affected | 14 Jan 2005 | 24 Jan 2005 |
Apple Computer Inc. | Not Affected | 17 Jan 2005 | 18 Jan 2005 |
Fujitsu | Not Affected | 17 Jan 2005 | 08 Feb 2005 |
Hitachi | Not Affected | 17 Jan 2005 | 18 Jan 2005 |
Microsoft Corporation | Not Affected | 17 Jan 2005 | 20 Jan 2005 |
NEC Corporation | Not Affected | 17 Jan 2005 | 17 Mar 2005 |
Sun Microsystems Inc. | Not Affected | 17 Jan 2005 | 24 Jan 2005 |
Conectiva | Unknown | 17 Jan 2005 | 18 Jan 2005 |
Cray Inc. | Unknown | 17 Jan 2005 | 18 Jan 2005 |
Debian | Unknown | 17 Jan 2005 | 18 Jan 2005 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- None
Credit
Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
- CVE IDs: CAN-2005-0198
- Date Public: 04 Jan 2005
- Date First Published: 27 Jan 2005
- Date Last Updated: 28 Apr 2005
- Severity Metric: 6.08
- Document Revision: 20
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.