Overview
The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.
Description
The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server. |
Impact
An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user's mail, or send spoofed email messages. |
Solution
Update The Cyrus IMAP team has released an update to address this issue. See http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html for more information. |
|
Vendor Information
Debian GNU/Linux Affected
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 09, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
http://www.us.debian.org/security/2009/dsa-1881
Vendor References
SUSE Linux Affected
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
All SUSE Linux products are affected by this issue. Fixed packages will be available soon and can be installed via YaST.
The SCO Group Affected
Notified: September 04, 2009 Updated: September 08, 2009
Statement Date: September 08, 2009
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Slackware Linux Inc. Not Affected
Notified: September 04, 2009 Updated: September 11, 2009
Statement Date: September 09, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Not Affected
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cray Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
DragonFly BSD Project Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EMC Corporation Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fujitsu Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Mandriva S. A. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetBSD Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Novell, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
OpenBSD Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux Unknown
Notified: September 04, 2009 Updated: September 10, 2009
Statement Date: September 10, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Openwall GNU/*/Linux is not affected. We do not ship Cyrus IMAPd.
QNX Software Systems Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SafeNet Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Wind River Systems, Inc. Unknown
Notified: September 04, 2009 Updated: September 05, 2009
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2009-2632 |
| Severity Metric: | 0.56 |
| Date Public: | 2009-09-07 |
| Date First Published: | 2009-09-09 |
| Date Last Updated: | 2009-09-11 13:15 UTC |
| Document Revision: | 18 |