UW-imapd fails to properly authenticate users when using CRAM-MD5

Overview

A vulnerablility in an authentication method for the University of Washington IMAP server could allow a remote attacker to access any user’s mailbox.

Description

The Internet Message Access Protocol (IMAP) is a method of accessing electronic messages kept on a remote mail server and is specified in RFC3501. The University of Washington IMAP server features multiple user authentication methods, including the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the conditions of successful authentication. This error results in a vulnerability that could allow a remote attacker to successfully authenticate as any user on the target system. This vulnerability only affects sites that have explicitly enabled CRAM-MD5 style authentication; it is not enabled in the default configuration of the UW-IMAP server.

---

Impact

A remote attacker could authenticate as any user on the target system and thereby read and delete email in the authorized user’s account.

---

Solution

Upgrade or apply a patch

Fixed versions of the software have been released to address this issue. Please see the Systems Affected section of this document for more details.

---

Vendor Information

702777

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Gentoo __ Affected

Updated: February 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo security team has published Gentoo Linux Security Advisory GLSA 200502-02 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

MandrakeSoft __ Affected

Notified: January 17, 2005 Updated: February 08, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Mandrakesoft security team has published Mandrakelinux Security Update Advisory MDKSA-2005:026 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Red Hat Inc. __ Affected

Notified: January 17, 2005 Updated: February 25, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has published Red Hat Security Advisory RHSA-2005:128 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

SGI __ Affected

Notified: January 17, 2005 Updated: March 17, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has published SGI Security Advisory 20050301-01-U in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

TurboLinux __ Affected

Notified: January 17, 2005 Updated: April 28, 2005

Status

Affected

Vendor Statement

This issue was fixed. Please refer this sites: <http://www.turbolinux.com/security/2005/TLSA-2005-32.txt> <http://www.turbolinux.co.jp/security/2005/TLSA-2005-32j.txt>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

University of Washington __ Affected

Notified: January 14, 2005 Updated: January 24, 2005

Status

Affected

Vendor Statement

This problem is fixed in the January 4, 2005 release version of imap-2004b, on: ``<ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z>`` The convenience link: ``<ftp://ftp.cac.washington.edu/mail/imap.tar.Z>`` now points to this version.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: January 17, 2005 Updated: January 18, 2005

Status

Not Affected

Vendor Statement

Apple does not provide the UW-IMAP Server software for either
Mac OS X Client or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Fujitsu __ Not Affected

Notified: January 17, 2005 Updated: February 08, 2005

Status

Not Affected

Vendor Statement

Name: Fujitsu Status: Not Vulnerable (still under exam) Date Notified: Fri, 28 Jan 2005 12:44:30 +0900 Statement: No statement is currently available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Hitachi __ Not Affected

Notified: January 17, 2005 Updated: January 18, 2005

Status

Not Affected

Vendor Statement

NOT VULNERABLE
HI-UX/WE2 is NOT Vulnerable to this issue.
Hitachi Groupmax Mail (IMAP & POP interface) is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Microsoft Corporation __ Not Affected

Notified: January 17, 2005 Updated: January 20, 2005

Status

Not Affected

Vendor Statement

Please note that at this point, we have conducted an investigation and are unaware of any Microsoft products affected by the vulnerability as reported.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

NEC Corporation __ Not Affected

Notified: January 17, 2005 Updated: March 17, 2005

Status

Not Affected

Vendor Statement

* NEC products are NOT susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Sun Microsystems Inc. __ Not Affected

Notified: January 17, 2005 Updated: January 24, 2005

Status

Not Affected

Vendor Statement

Sun is not affected by this vulnerability. Solaris 9 includes version
2003.83 of the University of Washington IMAP/POP3 software on the Companion
CD:

http://www.sun.com/software/solaris/freeware/index.html

as an unsupported package which installs to /opt/sfw, however this version
is not affected by this vulnerability. The Sun Java Desktop System
doesn't ship any IMAP/POP3 software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Conectiva __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Cray Inc. __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Debian __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

EMC Corporation __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Engarde __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

F5 Networks __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

FreeBSD __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Hewlett-Packard Company __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

IBM __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

IBM eServer __ Unknown

Notified: January 17, 2005 Updated: February 01, 2005

Status

Unknown

Vendor Statement

`For information related to this and other published CERT
Advisories that may relate to the IBM eServer Platforms (xSeries,
iSeries, pSeries, and zSeries) please go to
[https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=](<https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=>)

In order to access this information you will require a Resource Link ID.
To subscribe to Resource Link go to
<http://app-06.www.ibm.com/servers/resourcelink>
and follow the steps for registration.
`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

IBM-zSeries __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Immunix __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Ingrian Networks __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Juniper Networks __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

MontaVista Software __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

NetBSD __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Nokia __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Novell __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

OpenBSD __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Openwall GNU/*/Linux __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

SCO-LINUX __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

SCO-UNIX __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Sequent __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Sony Corporation __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

SuSE Inc. __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Unisys __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

Wind River Systems Inc. __ Unknown

Notified: January 17, 2005 Updated: January 18, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23702777 Feedback>).

View all 39 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Mark Crispin and Hugh Sheets of the University of Washington for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2005-0198
Severity Metric:	6.08 Date Public: