Problem:
Versions of UW imapd released prior to January 4, 2005 fail to properly authenticate users when using CRAM-MD5 SASL authentication.
Details:
The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system.
Impact limitation:
This vulnerability ONLY affects sites that have explicitly enabled CRAM-MD5 style authentication by creating an /etc/cram-md5.pwd file. CRAM-MD5 style authentication is NOT enabled in the default configuration of UW imapd.
Consequently, sites which do not use CRAM-MD5 style authentication (the majority of UW imapd sites) are NOT vulnerable. An IMAP server which does not advertise CRAM-MD5 style authentication is NOT vulnerable.
Workaround:
If the site uses CRAM-MD5 style authentication, delete or rename the /etc/cram-md5.pwd file to some other name. Note that doing so will revert all passwords to those in the UNIX password system.
Solution:
This problem is fixed in the January 4, 2005 release version of imap-2004b and in all subsequent versions (the current release version is imap-2004c1). This problem is also fixed in the UW imapd version bundled with Pine version 4.62.
The current release version of UW imapd is available at: ftp://ftp.cac.washington.edu/mail/imap.tar.Z
The current release version of Pine is available at: http://www.washington.edu/pine/getpine ftp://ftp.cac.washington.edu/pine/
For more details about this issue, please refer to: http://www.kb.cert.org/vuls/id/702777
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
--
------------------------------------------------------------------
For information about this mailing list, and its archives, see: http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------