Overview
A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user's mailbox.
Description
The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server. |
Impact
A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user's account. |
Solution
Upgrade or apply a patch Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details. |
Vendor Information
Gentoo Affected
Updated: February 08, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Gentoo security team has published Gentoo Linux Security Advisory GLSA 200502-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Notified: January 17, 2005 Updated: February 08, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The Mandrakesoft security team has published Mandrakelinux Security Update Advisory MDKSA-2005:026 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: January 17, 2005 Updated: February 25, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Red Hat has published Red Hat Security Advisory RHSA-2005:128 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Affected
Notified: January 17, 2005 Updated: March 17, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SGI has published SGI Security Advisory 20050301-01-U in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
TurboLinux Affected
Notified: January 17, 2005 Updated: April 28, 2005
Status
Affected
Vendor Statement
This issue was fixed.
Please refer this sites:
http://www.turbolinux.com/security/2005/TLSA-2005-32.txt
http://www.turbolinux.co.jp/security/2005/TLSA-2005-32j.txt
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
University of Washington Affected
Notified: January 14, 2005 Updated: January 24, 2005
Status
Affected
Vendor Statement
This problem is fixed in the January 4, 2005 release version of
imap-2004b, on:
ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
The convenience link:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
now points to this version.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: January 17, 2005 Updated: January 18, 2005
Status
Not Affected
Vendor Statement
Apple does not provide the UW-IMAP Server software for either
Mac OS X Client or Mac OS X Server.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Notified: January 17, 2005 Updated: February 08, 2005
Status
Not Affected
Vendor Statement
Name: Fujitsu
Status: Not Vulnerable (still under exam)
Date Notified: Fri, 28 Jan 2005 12:44:30 +0900
Statement: No statement is currently available.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Not Affected
Notified: January 17, 2005 Updated: January 18, 2005
Status
Not Affected
Vendor Statement
NOT VULNERABLE
HI-UX/WE2 is NOT Vulnerable to this issue.
Hitachi Groupmax Mail (IMAP & POP interface) is NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: January 17, 2005 Updated: January 20, 2005
Status
Not Affected
Vendor Statement
Please note that at this point, we have conducted an investigation and are unaware of any Microsoft products affected by the vulnerability as reported.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Not Affected
Notified: January 17, 2005 Updated: March 17, 2005
Status
Not Affected
Vendor Statement
* NEC products are NOT susceptible to this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Not Affected
Notified: January 17, 2005 Updated: January 24, 2005
Status
Not Affected
Vendor Statement
Sun is not affected by this vulnerability. Solaris 9 includes version
2003.83 of the University of Washington IMAP/POP3 software on the Companion
CD:
http://www.sun.com/software/solaris/freeware/index.html
as an unsupported package which installs to /opt/sfw, however this version
is not affected by this vulnerability. The Sun Java Desktop System
doesn't ship any IMAP/POP3 software.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
EMC Corporation Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Engarde Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM eServer Unknown
Notified: January 17, 2005 Updated: February 01, 2005
Status
Unknown
Vendor Statement
For information related to this and other published CERT
Advisories that may relate to the IBM eServer Platforms (xSeries,
iSeries, pSeries, and zSeries) please go to
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=
In order to access this information you will require a Resource Link ID.
To subscribe to Resource Link go to
http://app-06.www.ibm.com/servers/resourcelink
and follow the steps for registration.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM-zSeries Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Immunix Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Ingrian Networks Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nokia Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Novell Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO-LINUX Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SCO-UNIX Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: January 17, 2005 Updated: January 18, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2005-0198 |
| Severity Metric: | 6.08 |
| Date Public: | 2005-01-04 |
| Date First Published: | 2005-01-27 |
| Date Last Updated: | 2005-04-28 14:09 UTC |
| Document Revision: | 21 |