Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:336053
HistorySep 09, 2009 - 12:00 a.m.

Cyrus IMAPd buffer overflow vulnerability

2009-09-0900:00:00
www.kb.cert.org
15

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.4%

JSON

Overview

The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.

Description

The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server.

Impact

An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user’s mail, or send spoofed email messages.

Solution

Update

The Cyrus IMAP team has released an update to address this issue. See <http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html&gt; for more information.

Disable SIEVE

Administrators who compile Cyrus IMAP from source can use the --disable-sieve option to mitigate this issue.

Vendor Information

336053

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux __ Affected

Notified: September 04, 2009 Updated: September 10, 2009

Statement Date: September 09, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

<http://www.us.debian.org/security/2009/dsa-1881&gt;

Vendor References

SUSE Linux __ Affected

Notified: September 04, 2009 Updated: September 10, 2009

Statement Date: September 10, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

All SUSE Linux products are affected by this issue. Fixed packages will be available soon and can be installed via YaST.

The SCO Group Affected

Notified: September 04, 2009 Updated: September 08, 2009

Statement Date: September 08, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Not Affected

Notified: September 04, 2009 Updated: September 11, 2009

Statement Date: September 09, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Not Affected

Notified: September 04, 2009 Updated: September 10, 2009

Statement Date: September 10, 2009

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Unknown

Notified: September 04, 2009 Updated: September 10, 2009

Statement Date: September 10, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Openwall GNU/*/Linux is not affected. We do not ship Cyrus IMAPd.

QNX Software Systems Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: September 04, 2009 Updated: September 05, 2009

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 40 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2009-2632
Severity Metric: 0.56 Date Public:

Related

nessus 21
fedora 1
openvas 40
debiancve 2
veracode 1
prion 2
freebsd 1
ubuntucve 2
cve 2
debian 5
redhat 1
oraclelinux 1
osv 1
centos 1
gentoo 1
ubuntu 1
threatpost 1
nessus
nessus
Debian DSA-1881-1 : cyrus-imapd-2.2 - buffer overflow
2010-02-24 00:00:00
Mandriva Linux Security Advisory : cyrus-imapd (MDVSA-2009:229-1)
2009-09-14 00:00:00
FreeBSD : cyrus-imapd -- Potential buffer overflow in Sieve (012b495c-9d51-11de-8d20-001bd3385381)
2009-09-10 00:00:00
fedora
fedora
[SECURITY] Fedora 10 Update: dovecot-1.1.18-2.fc10
2009-09-15 07:41:57
openvas
openvas
Fedora Core 10 FEDORA-2009-9559 (dovecot)
2009-09-15 00:00:00
Debian: Security Advisory (DSA-1881-1)
2009-09-15 00:00:00
Mandrake Security Advisory MDVSA-2009:229 (cyrus-imapd)
2009-09-15 00:00:00
debiancve
debiancve
CVE-2009-2632
2009-09-08 23:30:00
CVE-2009-3235
2009-09-17 10:30:00
veracode
veracode
Arbitrary Code Execution
2020-04-10 00:38:24
prion
prion
Integer overflow
2009-09-08 23:30:00
Stack overflow
2009-09-17 10:30:00
freebsd
freebsd
cyrus-imapd -- Potential buffer overflow in Sieve
2009-09-02 00:00:00
ubuntucve
ubuntucve
CVE-2009-2632
2009-09-08 00:00:00
CVE-2009-3235
2009-09-17 00:00:00
cve
cve
CVE-2009-2632
2009-09-08 23:30:00
CVE-2009-3235
2009-09-17 10:30:00
debian
debian
[Backports-security-announce] Security update for dovecot
2009-10-01 18:15:41
[SECURITY] [DSA 1893-1] New cyrus-imapd-2.2/kolab-cyrus-imapd packages fix arbitrary code execution
2009-09-23 16:36:12
[Backports-security-announce] Security update for dovecot
2009-10-01 18:22:42
redhat
redhat
(RHSA-2009:1459) Important: cyrus-imapd security update
2009-09-23 00:00:00
oraclelinux
oraclelinux
cyrus-imapd security update
2009-09-23 00:00:00
osv
osv
dovecot - arbitrary code execution
2009-09-23 00:00:00
centos
centos
cyrus, perl security update
2009-09-26 00:34:20
gentoo
gentoo
Cyrus IMAP Server: Multiple vulnerabilities
2011-10-22 00:00:00
ubuntu
ubuntu
Dovecot vulnerabilities
2009-09-28 00:00:00
threatpost
threatpost
Apple Mega Patch Covers 88 Mac OS X Vulnerabilities
2010-03-29 17:15:44

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.4%

JSON
Related for VU:336053
nessus21fedora1openvas40debiancve2veracode1prion2freebsd1ubuntucve2cve2debian5redhat1oraclelinux1osv1centos1gentoo1ubuntu1threatpost1