Package: uw-imapd
Severity: grave
Justification: user security hole
The following email appearead on the c-client mailing list today. Thus I
suppose the currenlty shipping libc-client is vulnerable too:
>From [EMAIL PROTECTED] Fri Jan 28 08:33:16 2005
Date: Thu, 27 Jan 2005 14:23:14 -0800 (Pacific Standard Time)
From: Mark Crispin <[EMAIL PROTECTED]>
To: c-client Interest List <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: vulnerability and fix in UW imapd
Problem:
Versions of UW imapd released prior to January 4, 2005 fail to properly
authenticate users when using CRAM-MD5 SASL authentication.
Details:
The University of Washington IMAP server features multiple user
authentication methods, including the Challenge-Response Authentication
Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the
code that handles CRAM-MD5 incorrectly specifies the conditions of
successful authentication. This error results in a vulnerability that
could allow a remote attacker to successfully authenticate as any user on
the target system.
Impact limitation:
This vulnerability ONLY affects sites that have explicitly enabled
CRAM-MD5 style authentication by creating an /etc/cram-md5.pwd file.
CRAM-MD5 style authentication is NOT enabled in the default configuration
of UW imapd.
Consequently, sites which do not use CRAM-MD5 style authentication (the
majority of UW imapd sites) are NOT vulnerable. An IMAP server which does
not advertise CRAM-MD5 style authentication is NOT vulnerable.
Workaround:
If the site uses CRAM-MD5 style authentication, delete or rename the
/etc/cram-md5.pwd file to some other name. Note that doing so will revert
all passwords to those in the UNIX password system.
Solution:
This problem is fixed in the January 4, 2005 release version of imap-2004b
and in all subsequent versions (the current release version is
imap-2004c1). This problem is also fixed in the UW imapd version bundled
with Pine version 4.62.
The current release version of UW imapd is available at:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
The current release version of Pine is available at:
http://www.washington.edu/pine/getpine
ftp://ftp.cac.washington.edu/pine/
For more details about this issue, please refer to:
http://www.kb.cert.org/vuls/id/702777
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
--
------------------------------------------------------------------
For information about this mailing list, and its archives, see:
http://www.washington.edu/imap/c-client-list.html
------------------------------------------------------------------
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.22
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages uw-imapd depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii libc-client2002edebian 7:2002edebian1-4 UW c-client library for mail proto
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libcomerr2 1.35-6 The Common Error Description libra
ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-2 SSL shared libraries
ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
