Bug 64942 (CVE-2005-0198)

To: SuSE Security Team <security@suse.de> 
From: CERT Coordination Center <cert@cert.org> 
Cc: CERT Coordination Center <cert@cert.org> 
Subject: [security@suse.de] Vulnerability notification: VU#702777 - suse 
 
Hello folks, 
 
We have received a report from the University of Washington of a 
vulnerability in their UW-IMAP server software.  The vulnerability 
affects sites using CRAM-MD5 authentication and can allow a remote 
attacker to authenticate to the IMAP server as any valid user.  A copy 
of the original vulnerability report is included at the bottom of this 
message. 
 
Since this issue has already been addressed in a public release of the 
software, we are proposing to publish a vulnerability note about this 
issue on 2005-01-27.  We may publish sooner if additional public 
discussion occurs before then. 
 
If you have any questions or concerns, please don't hesitate to 
contact us. 
 
Best Regards, 
 
Chad 
 
-- 
Chad Dougherty 
Internet Security Analyst 
__________________________________________________________ 
CERT(R) Coordination Center    |             cert@cert.org 
Software Engineering Institute | Hotline : +1 412.268.7090 
Internet Security Analyst 
__________________________________________________________ 
CERT(R) Coordination Center    |             cert@cert.org 
Software Engineering Institute | Hotline : +1 412.268.7090 
Carnegie Mellon University     |     FAX : +1 412.268.6989 
Pittsburgh, PA 15213-3890      |      http://www.cert.org/ 
========================================================== 
     CERT and CERT Coordination Center are registered 
         in the U.S. Patent and Trademark Office. 
 
    The Software Engineering Institute is sponsored by 
              the U.S. Department of Defense. 
 
***** BEGIN ORIGINAL VULNERABILITY REPORT ***** 
 
TECHNICAL INFO 
=============================================================================== 
If there is a CERT Vulnerability tracking number please put it 
here (otherwise leave blank): VU#702777. 
 
 
Please describe the vulnerability. 
- ---------------------------------- 
 
There is a security bug in our (University of Washington) POP3 and 
IMAP servers which affects ONLY sites which use CRAM-MD5 
authentication (that is, which have an /etc/cram-md5.pwd file 
installed). 
 
The problem DOES NOT affect sites which do not use CRAM-MD5 
authentication.  Use of CRAM-MD5 authentication is NOT the default, 
and consequently sites which use the default authentication are NOT    
affected.  It is expected that only a relatively small 
minority of sites (that use CRAM-MD5 authentication) are affected. 
 
The problem is that after three failing attempts to authenticate using 
CRAM-MD5, the fourth one will always succeed regardless of whether or 
not the password is correct. 
 
 
What is the impact of this vulnerability? 
- ----------------------------------------- 
 
  (For example: local user can gain root/privileged access, intruders 
   can create root-owned files, denial of service attack,  etc.) 
 
    a) What is the specific impact: 
 
On systems which have deployed the non-default CRAM-MD5    
authentication, anyone can log in via POP3 and/or IMAP as an 
authorized user by knowing the target user's userid.  All that is 
necessary is to attempt to authenticate four (4) times.  The fourth 
authentication will always succeed. 
 
    b) How would you envision it being used in an attack scenario: 
 
Bad guys can gain access to other people's private email. 
 
To your knowledge is the vulnerability currently being exploited? 
- ----------------------------------------------------------------- 
         [yes/no] NO 
 
If there is an exploitation script available, please include it here. 
- --------------------------------------------------------------------- 
 
Do you know what systems and/or configurations are vulnerable? 
- -------------------------------------------------------------- 
         [yes/no]  (If yes, please list them below) 
 
         System          : University of Washington IMAP and POP3 servers 
         OS version      : versions 2002, 2002[a-e], 2004a, and all 
                          development snapshots prior to the January 4, 
                          2005 release of version 2004b. 
         Verified/Guessed: verified 
 
Are you aware of any workarounds and/or fixes for this vulnerability? 
- --------------------------------------------------------------------- 
         [yes/no] (If you have a workaround or are aware of patches 
               please include the information here.) 
 
Yes.  Patch to imap-200*/src/c-client/auth_md5.c follows: 
 
Change: 
     u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user; 
To: 
     u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL; 
 
The effect of this change is to change the old behavior: 
       if retries allowed AND password bad, then fail; else succeed   
to the correct: 
       if retries allowed AND password good, then succeed; else fail 
 
This problem is fixed in the January 4, 2005 release version of 
imap-2004b, on: 
       ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z    
The convenience link: 
       ftp://ftp.cac.washington.edu/mail/imap.tar.Z 
now points to this version. 
 
***** END ORIGINAL VULNERABILITY REPORT *****