Bugzilla – Bug 64942
VUL-0: CVE-2005-0198: uw-imapd cram-md5 auth problem
Last modified: 2021-11-02 16:25:08 UTC
To: SuSE Security Team <security@suse.de> From: CERT Coordination Center <cert@cert.org> Cc: CERT Coordination Center <cert@cert.org> Subject: [security@suse.de] Vulnerability notification: VU#702777 - suse Hello folks, We have received a report from the University of Washington of a vulnerability in their UW-IMAP server software. The vulnerability affects sites using CRAM-MD5 authentication and can allow a remote attacker to authenticate to the IMAP server as any valid user. A copy of the original vulnerability report is included at the bottom of this message. Since this issue has already been addressed in a public release of the software, we are proposing to publish a vulnerability note about this issue on 2005-01-27. We may publish sooner if additional public discussion occurs before then. If you have any questions or concerns, please don't hesitate to contact us. Best Regards, Chad -- Chad Dougherty Internet Security Analyst __________________________________________________________ CERT(R) Coordination Center | cert@cert.org Software Engineering Institute | Hotline : +1 412.268.7090 Internet Security Analyst __________________________________________________________ CERT(R) Coordination Center | cert@cert.org Software Engineering Institute | Hotline : +1 412.268.7090 Carnegie Mellon University | FAX : +1 412.268.6989 Pittsburgh, PA 15213-3890 | http://www.cert.org/ ========================================================== CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. ***** BEGIN ORIGINAL VULNERABILITY REPORT ***** TECHNICAL INFO =============================================================================== If there is a CERT Vulnerability tracking number please put it here (otherwise leave blank): VU#702777. Please describe the vulnerability. - ---------------------------------- There is a security bug in our (University of Washington) POP3 and IMAP servers which affects ONLY sites which use CRAM-MD5 authentication (that is, which have an /etc/cram-md5.pwd file installed). The problem DOES NOT affect sites which do not use CRAM-MD5 authentication. Use of CRAM-MD5 authentication is NOT the default, and consequently sites which use the default authentication are NOT affected. It is expected that only a relatively small minority of sites (that use CRAM-MD5 authentication) are affected. The problem is that after three failing attempts to authenticate using CRAM-MD5, the fourth one will always succeed regardless of whether or not the password is correct. What is the impact of this vulnerability? - ----------------------------------------- (For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.) a) What is the specific impact: On systems which have deployed the non-default CRAM-MD5 authentication, anyone can log in via POP3 and/or IMAP as an authorized user by knowing the target user's userid. All that is necessary is to attempt to authenticate four (4) times. The fourth authentication will always succeed. b) How would you envision it being used in an attack scenario: Bad guys can gain access to other people's private email. To your knowledge is the vulnerability currently being exploited? - ----------------------------------------------------------------- [yes/no] NO If there is an exploitation script available, please include it here. - --------------------------------------------------------------------- Do you know what systems and/or configurations are vulnerable? - -------------------------------------------------------------- [yes/no] (If yes, please list them below) System : University of Washington IMAP and POP3 servers OS version : versions 2002, 2002[a-e], 2004a, and all development snapshots prior to the January 4, 2005 release of version 2004b. Verified/Guessed: verified Are you aware of any workarounds and/or fixes for this vulnerability? - --------------------------------------------------------------------- [yes/no] (If you have a workaround or are aware of patches please include the information here.) Yes. Patch to imap-200*/src/c-client/auth_md5.c follows: Change: u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user; To: u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL; The effect of this change is to change the old behavior: if retries allowed AND password bad, then fail; else succeed to the correct: if retries allowed AND password good, then succeed; else fail This problem is fixed in the January 4, 2005 release version of imap-2004b, on: ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z The convenience link: ftp://ftp.cac.washington.edu/mail/imap.tar.Z now points to this version. ***** END ORIGINAL VULNERABILITY REPORT *****
<!-- SBZ_reproduce --> n/a
this is not public yet.
heiko? do you have time to fix this?
Yes, I try to get this done before weekend.
still not public yet i think.
affected are 8.2, 9.0, 9.1, 9.2 (incl.SLES8 and SLES9) doing check-ins right now
CAN-2005-0198 SM-Tracker-419
/work/src/done/PATCHINFO/imap.patch.maintained /work/src/done/PATCHINFO/imap.patch.box
public...
updated packages + advisory released.
CVE-2005-0198: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)