A buffer overflow vulnerability exists in versions of Cyrus IMAP Server up to and including 2.1.10. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server.
Cyrus IMAP Server is an e-mail application that uses the Internet Message Access Protocol (lMAP). Versions prior to 2.1.10 and 2.0.16 contain a buffer overflow vulnerability that may be exploited prior to authentication to the IMAP server. This vulnerability may allow a remote attacker to execute arbitrary code on the mail server with the privileges of the Cyrus IMAP Server. Exploitation of this vulnerability may also be limited by the implementation of malloc() being used on the system.
A remote attacker can execute arbitrary code on the system with the privileges of the Cyrus IMAP Server. This is not typically root, but may lead to the ability to read all mail on the system.
This issue is resolved in version 2.1.11 and 2.0.17.
Version 1.x is not supported and there are no plans for any new releases for this series. Users are urged to upgrade to 2.0.17 or 2.1.11.
This vulnerability was discovered by Timo Sirainen.
This document was written by Jason A Rafail.
|Date First Published:||2002-12-03|
|Date Last Updated:||2002-12-05 19:31 UTC|