Vulnerability Note VU#702777

UW-imapd fails to properly authenticate users when using CRAM-MD5

Original Release date: 27 Jan 2005 | Last revised: 28 Apr 2005


A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.


The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server.


A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user's account.


Upgrade or apply a patch

Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
GentooAffected-08 Feb 2005
MandrakeSoftAffected17 Jan 200508 Feb 2005
Red Hat Inc.Affected17 Jan 200525 Feb 2005
SGIAffected17 Jan 200517 Mar 2005
TurboLinuxAffected17 Jan 200528 Apr 2005
University of WashingtonAffected14 Jan 200524 Jan 2005
Apple Computer Inc.Not Affected17 Jan 200518 Jan 2005
FujitsuNot Affected17 Jan 200508 Feb 2005
HitachiNot Affected17 Jan 200518 Jan 2005
Microsoft CorporationNot Affected17 Jan 200520 Jan 2005
NEC CorporationNot Affected17 Jan 200517 Mar 2005
Sun Microsystems Inc.Not Affected17 Jan 200524 Jan 2005
ConectivaUnknown17 Jan 200518 Jan 2005
Cray Inc.Unknown17 Jan 200518 Jan 2005
DebianUnknown17 Jan 200518 Jan 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CAN-2005-0198
  • Date Public: 04 Jan 2005
  • Date First Published: 27 Jan 2005
  • Date Last Updated: 28 Apr 2005
  • Severity Metric: 6.08
  • Document Revision: 20


If you have feedback, comments, or additional information about this vulnerability, please send us email.