ID IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL Type nessus Reporter Tenable Modified 2018-11-15T00:00:00
Description
The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase.
Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.
#
# (C) Tenable Network Security, Inc.
#
if ( NASL_LEVEL < 4000 ) exit(0);
include("compat.inc");
if (description)
{
script_id(52609);
script_version("1.14");
script_cvs_date("Date: 2018/11/15 20:50:23");
script_cve_id("CVE-2011-0411", "CVE-2011-1926");
script_bugtraq_id(46767, 58171);
script_xref(name:"CERT", value:"555316");
script_name(english:"IMAP Service STARTTLS Plaintext Command Injection");
script_summary(english:"Tries to inject a command along with STARTTLS");
script_set_attribute(
attribute:"synopsis",
value:
"The remote mail service allows plaintext command injection while
negotiating an encrypted communications channel."
);
script_set_attribute(
attribute:"description",
value:
"The remote IMAP service contains a software flaw in its STARTTLS
implementation that could allow a remote, unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase.
Successful exploitation could allow an attacker to steal a victim's
email or associated SASL (Simple Authentication and Security Layer)
credentials."
);
script_set_attribute(
attribute:"see_also",
value:"https://tools.ietf.org/html/rfc2487"
);
script_set_attribute(
attribute:"see_also",
value:"https://www.securityfocus.com/archive/1/516901/30/0/threaded"
);
script_set_attribute(
attribute:"solution",
value:"Contact the vendor to see if an update is available."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/10");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
script_dependencies("imap4_starttls.nasl");
script_require_ports("Services/imap", 143);
exit(0);
}
include("global_settings.inc");
include("imap_func.inc");
include("misc_func.inc");
port = get_service(svc:"imap", default:143, exit_on_fail:TRUE);
if (!get_kb_item("imap/"+port+"/starttls"))
{
if (get_kb_item("imap/"+port+"/starttls_tested"))
exit(0, "The IMAP server on port "+port+" does not support STARTTLS.");
encaps = get_kb_item("Transports/TCP/"+port);
if (encaps && encaps > ENCAPS_IP)
exit(0, "The IMAP server on port "+port+" always encrypts traffic.");
}
soc = open_sock_tcp(port);
if (!soc) exit(1, "Can't open socket on port "+port+".");
s = recv_line(socket:soc, length:2048);
if (!strlen(s))
{
close(soc);
exit(1, "Failed to receive a banner from the IMAP server on port"+port+".");
}
tag = 0;
# Send the exploit.
++tag;
c = 'nessus1 STARTTLS\r\nnessus2 CAPABILITY\r\n';
send(socket:soc, data:c);
resp = "";
while (s1 = recv_line(socket:soc, length:2048))
{
s1 = chomp(s1);
match = eregmatch(pattern:"^nessus"+tag+" (OK|BAD|NO)", string:s1, icase:TRUE);
if (!isnull(match))
{
resp = match[1];
break;
}
}
if (resp == "")
{
close(soc);
if (strlen(s1)) errmsg = "The IMAP server on port "+port+" sent an invalid response (" + s1 + ").";
else errmsg = "The IMAP server on port "+port+" failed to respond to a 'STARTTLS' command.";
exit(1, errmsg);
}
if (toupper(resp) != 'OK') exit(1, "The IMAP server on port "+port+" did not accept the command (", s1, ").");
# nb: finally, we need to make sure the second command worked.
soc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);
if (!soc) exit(1, "Failed to negotiate a TLS connection with the IMAP server on port "+port+".");
++tag;
resp = "";
while (s2 = recv_line(socket:soc, length:2048))
{
s2 = chomp(s2);
match = eregmatch(pattern:"^nessus"+tag+" (OK|BAD|NO)", string:s2, icase:TRUE);
if (!isnull(match))
{
resp = match[1];
break;
}
}
close(soc);
if (strlen(s2) == 0) exit(0, "The IMAP server on port "+port+" does not appear to be affected.");
else
{
if (resp && "OK" == toupper(resp))
{
if (report_verbosity > 0)
{
report =
'\n' + 'Nessus sent the following two commands in a single packet :' +
'\n' +
'\n' + ' ' + str_replace(find:'\r\n', replace:'\\r\\n', string:c) +
'\n' +
'\n' + 'And the server sent the following two responses :' +
'\n' +
'\n' + ' ' + s1 +
'\n' + ' ' + s2 + '\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
else exit(0, "The IMAP server on port "+port+" does not appear to be affected as it responded '" + s2 + "'.");
}
{"id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "bulletinFamily": "scanner", "title": "IMAP Service STARTTLS Plaintext Command Injection", "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "published": "2011-03-10T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "reporter": "Tenable", "references": ["https://tools.ietf.org/html/rfc2487", "https://www.securityfocus.com/archive/1/516901/30/0/threaded"], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "type": "nessus", "lastseen": "2019-02-21T01:14:38", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e51bbd1f73c671d7b1689867a116cf5d511f8ef6b710c1f663871bc5d072411a", "hashmap": [{"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "e3b9580587aff4b63b45498e9530dd28", "key": "references"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "7b5118036836c6b31efa4022700988bf", "key": "sourceData"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "e7c99ea8270f32c4596b63d798cb8592", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2017-05-17T02:47:36", "modified": "2017-05-16T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.2", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "http://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2017/05/16 19:35:39 $\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_osvdb_id(71020, 71946, 72186, 90479);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 6}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-05-17T02:47:36"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5d774f079c1381e47727bd8d640564d213869e0c0c36cad5e2573581c6459410", "hashmap": [{"hash": "a63038bddeb56cf97a71c1372fb0bbdf", "key": "sourceData"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "a88035a9bb2b68e9ae6bf787c9af5634", "key": "references"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2018-11-17T03:05:49", "modified": "2018-11-15T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "https://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 23}, "differentElements": ["description"], "edition": 6, "lastseen": "2018-11-17T03:05:49"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ec8fe34e39e41acd57116036230ed45349c7e5ac86180d9a1a5be7452bc88871", "hashmap": [{"hash": "37899bafd15a4d603a6a1c28fa6e6481", "key": "sourceData"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "e3b9580587aff4b63b45498e9530dd28", "key": "references"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2018-09-01T23:53:28", "modified": "2018-07-12T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "http://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 14}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-09-01T23:53:28"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ec8fe34e39e41acd57116036230ed45349c7e5ac86180d9a1a5be7452bc88871", "hashmap": [{"hash": "37899bafd15a4d603a6a1c28fa6e6481", "key": "sourceData"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "e3b9580587aff4b63b45498e9530dd28", "key": "references"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2018-07-13T10:03:18", "modified": "2018-07-12T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "http://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 9}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-07-13T10:03:18"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-01-16T20:11:52", "references": [{"idList": ["14A6F516-502F-11E0-B448-BBFA2731F9C7"], "type": "freebsd"}, {"idList": ["DEBIAN:DSA-2242-1:A19E9", "DEBIAN:DSA-2258-1:631EF"], "type": "debian"}, {"idList": ["RHSA-2011:0422", "RHSA-2011:0423", "RHSA-2011:0859"], "type": "redhat"}, {"idList": ["CESA-2011:0422", "CESA-2011:0859"], "type": "centos"}, {"idList": ["FEDORA_2011-7193.NASL", "DEBIAN_DSA-2242.NASL", "SUSE_CYRUS-IMAPD-7583.NASL", "ORACLELINUX_ELSA-2011-0859.NASL", "DEBIAN_DSA-2258.NASL", "FEDORA_2011-7217.NASL", "CENTOS_RHSA-2011-0859.NASL", "SUSE_11_CYRUS-IMAPD-110620.NASL", "SUSE_11_3_CYRUS-IMAPD-110620.NASL", "REDHAT-RHSA-2011-0859.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:69965", "OPENVAS:870443", "OPENVAS:1361412562310122148", "OPENVAS:831410", "OPENVAS:1361412562310880958", "OPENVAS:880958", "OPENVAS:136141256231069965", "OPENVAS:1361412562310831410", "OPENVAS:1361412562310880536", "OPENVAS:69740"], "type": "openvas"}, {"idList": ["USN-1113-1"], "type": "ubuntu"}, {"idList": ["CVE-2011-1926", "CVE-2011-0411"], "type": "cve"}, {"idList": ["ELSA-2011-0859", "ELSA-2011-0423"], "type": "oraclelinux"}, {"idList": ["SECURITYVULNS:DOC:26393", "SECURITYVULNS:VULN:11492", "SECURITYVULNS:DOC:25899"], "type": "securityvulns"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "4b3590aa275e2b9fffb641f4ccb819ef186556a9ac15eab0e99daa1e23aa3533", "hashmap": [{"hash": "a63038bddeb56cf97a71c1372fb0bbdf", "key": "sourceData"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "a88035a9bb2b68e9ae6bf787c9af5634", "key": "references"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "dbffa3257a771e58236a25d3890d9ff3", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2019-01-16T20:11:52", "modified": "2018-11-15T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "https://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 31}, "differentElements": ["description"], "edition": 7, "lastseen": "2019-01-16T20:11:52"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ab560f6255aa78bbcd9633afae42e5b9cbda4f38c8106a5d91b68caba46d16da", "hashmap": [{"hash": "37899bafd15a4d603a6a1c28fa6e6481", "key": "sourceData"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "e3b9580587aff4b63b45498e9530dd28", "key": "references"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2018-08-30T19:47:49", "modified": "2018-07-12T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.3", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["https://tools.ietf.org/html/rfc2487", "http://www.securityfocus.com/archive/1/516901/30/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 9}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:47:49"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2011-1926", "CVE-2011-0411"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.", "edition": 1, "hash": "1de2c6abac26b3eb3f36d7ba7d1b430fe31c6f67ee58b124bf7cae3fdb70c6d6", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "ae30ab679a4620946e7383f6006ba3c5", "key": "modified"}, {"hash": "7dd6e3b1e5f9049c821dddb40d9f3a93", "key": "pluginID"}, {"hash": "f988dc6e0b4d047c838adcca890ea132", "key": "naslFamily"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "67267163aa7ce65243b507491e033831", "key": "cvelist"}, {"hash": "7f02474ddb3d8972aa112053f158b415", "key": "sourceData"}, {"hash": "9fe2c359d7755b867254d0f7b60f8ac1", "key": "published"}, {"hash": "e6a29d4420d3188d02a4c05711f47978", "key": "description"}, {"hash": "6fa9a9c84a6603a8e5d029c95110b896", "key": "title"}, {"hash": "d26c1b18754b891725869286c58d3d1c", "key": "href"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "141ddbd0e00114a4135899e58335ebf8", "key": "references"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=52609", "id": "IMAP4_STARTTLS_PLAINTEXT_INJECTION.NASL", "lastseen": "2016-09-26T17:25:17", "modified": "2016-05-16T00:00:00", "naslFamily": "Misc.", "objectVersion": "1.2", "pluginID": "52609", "published": "2011-03-10T00:00:00", "references": ["http://www.securityfocus.com/archive/1/516901/30/0/threaded", "http://tools.ietf.org/html/rfc2487"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2016/05/16 14:02:51 $\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_osvdb_id(71020, 71946, 72186, 90479);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "title": "IMAP Service STARTTLS Plaintext Command Injection", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:17"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "67267163aa7ce65243b507491e033831"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "e6a29d4420d3188d02a4c05711f47978"}, {"key": "href", "hash": "d26c1b18754b891725869286c58d3d1c"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "f988dc6e0b4d047c838adcca890ea132"}, {"key": "pluginID", "hash": "7dd6e3b1e5f9049c821dddb40d9f3a93"}, {"key": "published", "hash": "9fe2c359d7755b867254d0f7b60f8ac1"}, {"key": "references", "hash": "a88035a9bb2b68e9ae6bf787c9af5634"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "a63038bddeb56cf97a71c1372fb0bbdf"}, {"key": "title", "hash": "6fa9a9c84a6603a8e5d029c95110b896"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "5d774f079c1381e47727bd8d640564d213869e0c0c36cad5e2573581c6459410", "viewCount": 71, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-1926", "CVE-2011-0411"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310831410", "OPENVAS:831410", "OPENVAS:880958", "OPENVAS:1361412562310870443", "OPENVAS:1361412562310881318", "OPENVAS:1361412562310863273", "OPENVAS:863273", "OPENVAS:880536", "OPENVAS:870443", "OPENVAS:1361412562310880958"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2011-0859.NASL", "ORACLELINUX_ELSA-2011-0859.NASL", "REDHAT-RHSA-2011-0859.NASL", "SUSE_11_3_CYRUS-IMAPD-110620.NASL", "MANDRIVA_MDVSA-2011-100.NASL", "FEDORA_2011-7217.NASL", "SUSE_11_CYRUS-IMAPD-110620.NASL", "SL_20110608_CYRUS_IMAPD_ON_SL4_X.NASL", "SUSE_CYRUS-IMAPD-7583.NASL", "DEBIAN_DSA-2242.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26393", "SECURITYVULNS:VULN:11492", "SECURITYVULNS:DOC:25899"]}, {"type": "redhat", "idList": ["RHSA-2011:0859", "RHSA-2011:0423", "RHSA-2011:0422"]}, {"type": "oraclelinux", "idList": ["ELSA-2011-0859", "ELSA-2011-0423"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2258-1:631EF", "DEBIAN:DSA-2242-1:A19E9"]}, {"type": "centos", "idList": ["CESA-2011:0859"]}, {"type": "freebsd", "idList": ["14A6F516-502F-11E0-B448-BBFA2731F9C7", "A7975581-EE26-11E1-8BD8-0022156E8794"]}, {"type": "ubuntu", "idList": ["USN-1113-1"]}], "modified": "2019-02-21T01:14:38"}, "score": {"value": 6.8, "vector": "NONE", "modified": "2019-02-21T01:14:38"}, "vulnersScore": 6.8}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif ( NASL_LEVEL < 4000 ) exit(0);\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(52609);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767, 58171);\n script_xref(name:\"CERT\", value:\"555316\");\n\n script_name(english:\"IMAP Service STARTTLS Plaintext Command Injection\");\n script_summary(english:\"Tries to inject a command along with STARTTLS\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote mail service allows plaintext command injection while\nnegotiating an encrypted communications channel.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote IMAP service contains a software flaw in its STARTTLS\nimplementation that could allow a remote, unauthenticated attacker to\ninject commands during the plaintext protocol phase that will be\nexecuted during the ciphertext protocol phase. \n\nSuccessful exploitation could allow an attacker to steal a victim's\nemail or associated SASL (Simple Authentication and Security Layer)\ncredentials.\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://tools.ietf.org/html/rfc2487\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://www.securityfocus.com/archive/1/516901/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Contact the vendor to see if an update is available.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/03/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"imap4_starttls.nasl\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_service(svc:\"imap\", default:143, exit_on_fail:TRUE);\nif (!get_kb_item(\"imap/\"+port+\"/starttls\"))\n{\n if (get_kb_item(\"imap/\"+port+\"/starttls_tested\"))\n exit(0, \"The IMAP server on port \"+port+\" does not support STARTTLS.\");\n\n encaps = get_kb_item(\"Transports/TCP/\"+port);\n if (encaps && encaps > ENCAPS_IP) \n exit(0, \"The IMAP server on port \"+port+\" always encrypts traffic.\");\n}\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Can't open socket on port \"+port+\".\");\n\ns = recv_line(socket:soc, length:2048);\nif (!strlen(s)) \n{\n close(soc);\n exit(1, \"Failed to receive a banner from the IMAP server on port\"+port+\".\");\n}\ntag = 0;\n\n\n# Send the exploit.\n++tag;\nc = 'nessus1 STARTTLS\\r\\nnessus2 CAPABILITY\\r\\n';\nsend(socket:soc, data:c);\n\nresp = \"\";\nwhile (s1 = recv_line(socket:soc, length:2048))\n{\n s1 = chomp(s1);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s1, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\n\nif (resp == \"\")\n{\n close(soc);\n\n if (strlen(s1)) errmsg = \"The IMAP server on port \"+port+\" sent an invalid response (\" + s1 + \").\";\n else errmsg = \"The IMAP server on port \"+port+\" failed to respond to a 'STARTTLS' command.\";\n exit(1, errmsg);\n}\nif (toupper(resp) != 'OK') exit(1, \"The IMAP server on port \"+port+\" did not accept the command (\", s1, \").\");\n\n# nb: finally, we need to make sure the second command worked.\nsoc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);\nif (!soc) exit(1, \"Failed to negotiate a TLS connection with the IMAP server on port \"+port+\".\");\n\n++tag;\nresp = \"\";\nwhile (s2 = recv_line(socket:soc, length:2048))\n{\n s2 = chomp(s2);\n match = eregmatch(pattern:\"^nessus\"+tag+\" (OK|BAD|NO)\", string:s2, icase:TRUE);\n if (!isnull(match))\n {\n resp = match[1];\n break;\n }\n}\nclose(soc);\n\nif (strlen(s2) == 0) exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected.\");\nelse\n{\n if (resp && \"OK\" == toupper(resp))\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n' + 'Nessus sent the following two commands in a single packet :' +\n '\\n' +\n '\\n' + ' ' + str_replace(find:'\\r\\n', replace:'\\\\r\\\\n', string:c) + \n '\\n' +\n '\\n' + 'And the server sent the following two responses :' +\n '\\n' +\n '\\n' + ' ' + s1 +\n '\\n' + ' ' + s2 + '\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n exit(0);\n }\n else exit(0, \"The IMAP server on port \"+port+\" does not appear to be affected as it responded '\" + s2 + \"'.\");\n}\n", "naslFamily": "Misc.", "pluginID": "52609", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:11:11", "bulletinFamily": "NVD", "description": "The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a \"plaintext command injection\" attack, a similar issue to CVE-2011-0411.", "modified": "2018-10-30T16:26:00", "id": "CVE-2011-1926", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1926", "published": "2011-05-23T22:55:00", "title": "CVE-2011-1926", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:11:05", "bulletinFamily": "NVD", "description": "The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a \"plaintext command injection\" attack.", "modified": "2017-08-17T01:33:00", "id": "CVE-2011-0411", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0411", "published": "2011-03-16T22:55:00", "title": "CVE-2011-0411", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:15:01", "bulletinFamily": "scanner", "description": "Updated cyrus-imapd packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3 sessions. A man-in-the-middle attacker could use this flaw to inject protocol commands into a victim's TLS session initialization messages. This could lead to those commands being processed by cyrus-imapd, potentially allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, cyrus-imapd will be restarted automatically.", "modified": "2018-11-26T00:00:00", "id": "REDHAT-RHSA-2011-0859.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55013", "published": "2011-06-09T00:00:00", "title": "RHEL 4 / 5 / 6 : cyrus-imapd (RHSA-2011:0859)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0859. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55013);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/11/26 11:02:14\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767);\n script_xref(name:\"RHSA\", value:\"2011:0859\");\n\n script_name(english:\"RHEL 4 / 5 / 6 : cyrus-imapd (RHSA-2011:0859)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cyrus-imapd packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with\nIMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands\nbuffer after switching to TLS encryption for IMAP, LMTP, NNTP, and\nPOP3 sessions. A man-in-the-middle attacker could use this flaw to\ninject protocol commands into a victim's TLS session initialization\nmessages. This could lead to those commands being processed by\ncyrus-imapd, potentially allowing the attacker to steal the victim's\nmail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, cyrus-imapd will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-1926\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0859\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-murder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-nntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:cyrus-imapd-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perl-Cyrus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(4|5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:0859\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"cyrus-imapd-2.2.12-15.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"cyrus-imapd-devel-2.2.12-15.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"cyrus-imapd-murder-2.2.12-15.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"cyrus-imapd-nntp-2.2.12-15.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"cyrus-imapd-utils-2.2.12-15.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"perl-Cyrus-2.2.12-15.el4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"cyrus-imapd-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"cyrus-imapd-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"cyrus-imapd-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"cyrus-imapd-devel-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"cyrus-imapd-perl-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"cyrus-imapd-perl-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"cyrus-imapd-perl-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"cyrus-imapd-utils-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"cyrus-imapd-utils-2.3.7-7.el5_6.4\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"cyrus-imapd-utils-2.3.7-7.el5_6.4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cyrus-imapd-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cyrus-imapd-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cyrus-imapd-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cyrus-imapd-debuginfo-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"cyrus-imapd-devel-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"cyrus-imapd-utils-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"cyrus-imapd-utils-2.3.16-6.el6_1.2\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"cyrus-imapd-utils-2.3.16-6.el6_1.2\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cyrus-imapd / cyrus-imapd-debuginfo / cyrus-imapd-devel / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:01", "bulletinFamily": "scanner", "description": "Updated cyrus-imapd packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3 sessions. A man-in-the-middle attacker could use this flaw to inject protocol commands into a victim's TLS session initialization messages. This could lead to those commands being processed by cyrus-imapd, potentially allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, cyrus-imapd will be restarted automatically.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2011-0859.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55000", "published": "2011-06-09T00:00:00", "title": "CentOS 4 / 5 : cyrus-imapd (CESA-2011:0859)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0859 and \n# CentOS Errata and Security Advisory 2011:0859 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55000);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/10 11:49:29\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767);\n script_xref(name:\"RHSA\", value:\"2011:0859\");\n\n script_name(english:\"CentOS 4 / 5 : cyrus-imapd (CESA-2011:0859)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated cyrus-imapd packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with\nIMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands\nbuffer after switching to TLS encryption for IMAP, LMTP, NNTP, and\nPOP3 sessions. A man-in-the-middle attacker could use this flaw to\ninject protocol commands into a victim's TLS session initialization\nmessages. This could lead to those commands being processed by\ncyrus-imapd, potentially allowing the attacker to steal the victim's\nmail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, cyrus-imapd will be restarted automatically.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-August/017673.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdcc5fe1\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-August/017674.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1bd2610f\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-June/017611.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8c1dfea1\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2011-June/017612.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?adaed036\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cyrus-imapd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd-murder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd-nntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:cyrus-imapd-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perl-Cyrus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"cyrus-imapd-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"cyrus-imapd-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"cyrus-imapd-devel-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"cyrus-imapd-devel-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"cyrus-imapd-murder-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"cyrus-imapd-murder-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"cyrus-imapd-nntp-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"cyrus-imapd-nntp-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"cyrus-imapd-utils-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"cyrus-imapd-utils-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"perl-Cyrus-2.2.12-15.el4_8\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"perl-Cyrus-2.2.12-15.el4_8\")) flag++;\n\nif (rpm_check(release:\"CentOS-5\", reference:\"cyrus-imapd-2.3.7-7.el5_6.4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"cyrus-imapd-devel-2.3.7-7.el5_6.4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"cyrus-imapd-perl-2.3.7-7.el5_6.4\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"cyrus-imapd-utils-2.3.7-7.el5_6.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:19:31", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2011:0859 :\n\nUpdated cyrus-imapd packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3 sessions. A man-in-the-middle attacker could use this flaw to inject protocol commands into a victim's TLS session initialization messages. This could lead to those commands being processed by cyrus-imapd, potentially allowing the attacker to steal the victim's mail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the update, cyrus-imapd will be restarted automatically.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2011-0859.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68289", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 / 5 / 6 : cyrus-imapd (ELSA-2011-0859)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2011:0859 and \n# Oracle Linux Security Advisory ELSA-2011-0859 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68289);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_bugtraq_id(46767);\n script_xref(name:\"RHSA\", value:\"2011:0859\");\n\n script_name(english:\"Oracle Linux 4 / 5 / 6 : cyrus-imapd (ELSA-2011-0859)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2011:0859 :\n\nUpdated cyrus-imapd packages that fix one security issue are now\navailable for Red Hat Enterprise Linux 4, 5, and 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe cyrus-imapd packages contain a high-performance mail server with\nIMAP, POP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands\nbuffer after switching to TLS encryption for IMAP, LMTP, NNTP, and\nPOP3 sessions. A man-in-the-middle attacker could use this flaw to\ninject protocol commands into a victim's TLS session initialization\nmessages. This could lead to those commands being processed by\ncyrus-imapd, potentially allowing the attacker to steal the victim's\nmail or authentication credentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After\ninstalling the update, cyrus-imapd will be restarted automatically.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-June/002179.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-June/002183.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2011-June/002184.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cyrus-imapd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd-murder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd-nntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:cyrus-imapd-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perl-Cyrus\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(4|5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4 / 5 / 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"cyrus-imapd-2.2.12-15.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"cyrus-imapd-devel-2.2.12-15.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"cyrus-imapd-murder-2.2.12-15.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"cyrus-imapd-nntp-2.2.12-15.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"cyrus-imapd-utils-2.2.12-15.0.1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"perl-Cyrus-2.2.12-15.0.1.el4\")) flag++;\n\nif (rpm_check(release:\"EL5\", reference:\"cyrus-imapd-2.3.7-7.0.1.el5_6.4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"cyrus-imapd-devel-2.3.7-7.0.1.el5_6.4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"cyrus-imapd-perl-2.3.7-7.0.1.el5_6.4\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"cyrus-imapd-utils-2.3.7-7.0.1.el5_6.4\")) flag++;\n\nif (rpm_check(release:\"EL6\", reference:\"cyrus-imapd-2.3.16-6.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cyrus-imapd-devel-2.3.16-6.el6_1.2\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"cyrus-imapd-utils-2.3.16-6.el6_1.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cyrus-imapd / cyrus-imapd-devel / cyrus-imapd-murder / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:11", "bulletinFamily": "scanner", "description": "Cyrus-imapd recognized commands before switching to an encrypted channel via STARTTLS. Attackers could potentially exploit that to inject plain text commands. (CVE-2011-1926)", "modified": "2012-05-17T00:00:00", "id": "SUSE_CYRUS-IMAPD-7584.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55621", "published": "2011-07-19T00:00:00", "title": "SuSE 10 Security Update : cyrus-imapd (ZYPP Patch Number 7584)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55621);\n script_version (\"$Revision: 1.4 $\");\n script_cvs_date(\"$Date: 2012/05/17 11:05:45 $\");\n\n script_cve_id(\"CVE-2011-1926\");\n\n script_name(english:\"SuSE 10 Security Update : cyrus-imapd (ZYPP Patch Number 7584)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cyrus-imapd recognized commands before switching to an encrypted\nchannel via STARTTLS. Attackers could potentially exploit that to\ninject plain text commands. (CVE-2011-1926)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1926.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7584.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"cyrus-imapd-2.2.12-27.16.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"cyrus-imapd-devel-2.2.12-27.16.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"perl-Cyrus-IMAP-2.2.12-27.16.28.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"perl-Cyrus-SIEVE-managesieve-2.2.12-27.16.28.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:01", "bulletinFamily": "scanner", "description": "It was discovered that the STARTTLS implementation of the Cyrus IMAP server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted IMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is processed after TLS is in place.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-2242.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55030", "published": "2011-06-10T00:00:00", "title": "Debian DSA-2242-1 : cyrus-imapd-2.2 - implementation error", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2242. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55030);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2011-1926\");\n script_bugtraq_id(46767);\n script_xref(name:\"DSA\", value:\"2242\");\n\n script_name(english:\"Debian DSA-2242-1 : cyrus-imapd-2.2 - implementation error\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the STARTTLS implementation of the Cyrus IMAP\nserver does not properly restrict I/O buffering, which allows\nman-in-the-middle attackers to insert commands into encrypted IMAP,\nLMTP, NNTP and POP3 sessions by sending a cleartext command that is\nprocessed after TLS is in place.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/cyrus-imapd-2.2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2242\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the cyrus-imapd-2.2 packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.2.13-14+lenny4.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.2.13-19+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:cyrus-imapd-2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"cyrus-imapd-2.2\", reference:\"2.2.13-14+lenny4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-admin-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-clients-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-common-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-dev-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-doc-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-imapd-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-murder-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-nntpd-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"cyrus-pop3d-2.2\", reference:\"2.2.13-19+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcyrus-imap-perl22\", reference:\"2.2.13-19+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:02", "bulletinFamily": "scanner", "description": "- Wed May 18 2011 Michal Hlavinka <mhlavink at redhat.com>\n - 2.3.16-5\n\n - fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability\n\n - Fri Jan 21 2011 Michal Hlavinka <mhlavink at redhat.com> - 2.3.16-4\n\n - don't force sync io for all filesystems\n\n - Tue Apr 20 2010 Michal Hlavinka <mhlavink at redhat.com> - 2.3.16-3\n\n - add support for QoS marked traffic (#576652)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-12T00:00:00", "id": "FEDORA_2011-7193.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55051", "published": "2011-06-12T00:00:00", "title": "Fedora 13 : cyrus-imapd-2.3.16-5.fc13 (2011-7193)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-7193.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55051);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/12 15:01:52\");\n\n script_cve_id(\"CVE-2011-1926\");\n script_xref(name:\"FEDORA\", value:\"2011-7193\");\n\n script_name(english:\"Fedora 13 : cyrus-imapd-2.3.16-5.fc13 (2011-7193)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Wed May 18 2011 Michal Hlavinka <mhlavink at redhat.com>\n - 2.3.16-5\n\n - fix CVE-2011-1926: STARTTLS plaintext command\n injection vulnerability\n\n - Fri Jan 21 2011 Michal Hlavinka <mhlavink at\n redhat.com> - 2.3.16-4\n\n - don't force sync io for all filesystems\n\n - Tue Apr 20 2010 Michal Hlavinka <mhlavink at\n redhat.com> - 2.3.16-3\n\n - add support for QoS marked traffic (#576652)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=705288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-June/061415.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ac8d1b4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cyrus-imapd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"cyrus-imapd-2.3.16-5.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cyrus-imapd\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:21:49", "bulletinFamily": "scanner", "description": "cyrus-imapd recognized commands before switching to an encrypted channel via STARTTLS. Attackers could potentially exploit that to inject plain text commands (CVE-2011-1926).", "modified": "2018-11-10T00:00:00", "id": "SUSE_11_4_CYRUS-IMAPD-110620.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75809", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : cyrus-imapd (openSUSE-SU-2011:0800-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update cyrus-imapd-4736.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75809);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:49:59\");\n\n script_cve_id(\"CVE-2011-1926\");\n\n script_name(english:\"openSUSE Security Update : cyrus-imapd (openSUSE-SU-2011:0800-1)\");\n script_summary(english:\"Check for the cyrus-imapd-4736 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"cyrus-imapd recognized commands before switching to an encrypted\nchannel via STARTTLS. Attackers could potentially exploit that to\ninject plain text commands (CVE-2011-1926).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=694247\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-07/msg00024.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cyrus-imapd packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cyrus-imapd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cyrus-imapd-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:cyrus-imapd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-Cyrus-IMAP\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-Cyrus-IMAP-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-Cyrus-SIEVE-managesieve\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:perl-Cyrus-SIEVE-managesieve-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"cyrus-imapd-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"cyrus-imapd-debuginfo-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"cyrus-imapd-debugsource-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"cyrus-imapd-devel-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"perl-Cyrus-IMAP-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"perl-Cyrus-IMAP-debuginfo-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"perl-Cyrus-SIEVE-managesieve-2.3.16-16.17.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"perl-Cyrus-SIEVE-managesieve-debuginfo-2.3.16-16.17.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cyrus-imapd / cyrus-imapd-devel / perl-Cyrus-IMAP / etc\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:02", "bulletinFamily": "scanner", "description": "It was discovered that the STARTTLS implementation of the Kolab Cyrus IMAP server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted IMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is processed after TLS is in place.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-2258.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55065", "published": "2011-06-13T00:00:00", "title": "Debian DSA-2258-1 : kolab-cyrus-imapd - implementation error", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2258. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55065);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2011-1926\");\n script_xref(name:\"DSA\", value:\"2258\");\n\n script_name(english:\"Debian DSA-2258-1 : kolab-cyrus-imapd - implementation error\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the STARTTLS implementation of the Kolab Cyrus\nIMAP server does not properly restrict I/O buffering, which allows\nman-in-the-middle attackers to insert commands into encrypted IMAP,\nLMTP, NNTP and POP3 sessions by sending a cleartext command that is\nprocessed after TLS is in place.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629350\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/kolab-cyrus-imapd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2011/dsa-2258\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the kolab-cyrus-imapd packages.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.2.13-5+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.2.13-9.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:kolab-cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"kolab-cyrus-imapd\", reference:\"2.2.13-5+lenny3\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-cyrus-admin\", reference:\"2.2.13-9.1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-cyrus-clients\", reference:\"2.2.13-9.1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-cyrus-common\", reference:\"2.2.13-9.1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-cyrus-imapd\", reference:\"2.2.13-9.1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-cyrus-pop3d\", reference:\"2.2.13-9.1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"kolab-libcyrus-imap-perl\", reference:\"2.2.13-9.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:11", "bulletinFamily": "scanner", "description": "Cyrus-imapd recognized commands before switching to an encrypted channel via STARTTLS. Attackers could potentially exploit that to inject plain text commands. (CVE-2011-1926)", "modified": "2012-04-23T00:00:00", "id": "SUSE9_12776.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55617", "published": "2011-07-19T00:00:00", "title": "SuSE9 Security Update : cyrus-imapd (YOU Patch Number 12776)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55617);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2012/04/23 18:21:33 $\");\n\n script_cve_id(\"CVE-2011-1926\");\n\n script_name(english:\"SuSE9 Security Update : cyrus-imapd (YOU Patch Number 12776)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 9 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cyrus-imapd recognized commands before switching to an encrypted\nchannel via STARTTLS. Attackers could potentially exploit that to\ninject plain text commands. (CVE-2011-1926)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-1926.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply YOU patch number 12776.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/06/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/07/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 9 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SUSE9\", reference:\"cyrus-imapd-2.2.3-83.44\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"cyrus-imapd-devel-2.2.3-83.44\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"perl-Cyrus-IMAP-2.2.3-83.44\")) flag++;\nif (rpm_check(release:\"SUSE9\", reference:\"perl-Cyrus-SIEVE-managesieve-2.2.3-83.44\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:15:02", "bulletinFamily": "scanner", "description": "- Tue May 17 2011 Michal Hlavinka <mhlavink at redhat.com>\n - 2.3.16-8\n\n - fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability\n\n - Fri Jan 21 2011 Michal Hlavinka <mhlavink at redhat.com> - 2.3.16-7\n\n - don't force sync io for all filesystems\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-12T00:00:00", "id": "FEDORA_2011-7217.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=55052", "published": "2011-06-12T00:00:00", "title": "Fedora 14 : cyrus-imapd-2.3.16-8.fc14 (2011-7217)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-7217.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(55052);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/12 15:01:52\");\n\n script_cve_id(\"CVE-2011-1926\");\n script_xref(name:\"FEDORA\", value:\"2011-7217\");\n\n script_name(english:\"Fedora 14 : cyrus-imapd-2.3.16-8.fc14 (2011-7217)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Tue May 17 2011 Michal Hlavinka <mhlavink at redhat.com>\n - 2.3.16-8\n\n - fix CVE-2011-1926: STARTTLS plaintext command\n injection vulnerability\n\n - Fri Jan 21 2011 Michal Hlavinka <mhlavink at\n redhat.com> - 2.3.16-7\n\n - don't force sync io for all filesystems\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=705288\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-June/061374.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?136b0a43\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected cyrus-imapd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:cyrus-imapd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/06/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"cyrus-imapd-2.3.16-8.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"cyrus-imapd\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:55:33", "bulletinFamily": "scanner", "description": "Check for the Version of cyrus-imapd", "modified": "2017-07-06T00:00:00", "published": "2011-06-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=831410", "id": "OPENVAS:831410", "title": "Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A vulnerability has been identified and fixed in cyrus-imapd:\n\n The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does\n not properly restrict I/O buffering, which allows man-in-the-middle\n attackers to insert commands into encrypted sessions by sending a\n cleartext command that is processed after TLS is in place, related to\n a plaintext command injection attack, a similar issue to CVE-2011-0411\n (CVE-2011-1926).\n \n Packages for 2009.0 are provided as of the Extended Maintenance\n Program. Please visit this link to learn more:\n http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490\n \n The updated packages have been patched to correct this issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"cyrus-imapd on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2011-05/msg00025.php\");\n script_id(831410);\n script_version(\"$Revision: 6570 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:06:35 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDVSA\", value: \"2011:100\");\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_name(\"Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)\");\n\n script_summary(\"Check for the Version of cyrus-imapd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2009.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2011-06-03T00:00:00", "id": "OPENVAS:1361412562310831410", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310831410", "title": "Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.mandriva.com/security-announce/2011-05/msg00025.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.831410\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-03 09:20:26 +0200 (Fri, 03 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"MDVSA\", value:\"2011:100\");\n script_cve_id(\"CVE-2011-0411\", \"CVE-2011-1926\");\n script_name(\"Mandriva Update for cyrus-imapd MDVSA-2011:100 (cyrus-imapd)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cyrus-imapd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\", re:\"ssh/login/release=MNDK_(mes5|2010\\.1|2009\\.0)\");\n script_tag(name:\"affected\", value:\"cyrus-imapd on Mandriva Linux 2009.0,\n Mandriva Linux 2009.0/X86_64,\n Mandriva Linux 2010.1,\n Mandriva Linux 2010.1/X86_64,\n Mandriva Enterprise Server 5,\n Mandriva Enterprise Server 5/X86_64\");\n script_tag(name:\"insight\", value:\"A vulnerability has been identified and fixed in cyrus-imapd:\n\n The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does\n not properly restrict I/O buffering, which allows man-in-the-middle\n attackers to insert commands into encrypted sessions by sending a\n cleartext command that is processed after TLS is in place, related to\n a plaintext command injection attack, a similar issue to CVE-2011-0411\n (CVE-2011-1926).\n\n Packages for 2009.0 are provided as of the Extended Maintenance\n Program. The updated packages have been patched to correct this issue.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MNDK_mes5\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.12~0.p2.4.2mdvmes5.2\", rls:\"MNDK_mes5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2010.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.15~10.2mdv2010.2\", rls:\"MNDK_2010.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"MNDK_2009.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.3.12~0.p2.4.2mdv2009.0\", rls:\"MNDK_2009.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-11T11:07:41", "bulletinFamily": "scanner", "description": "Check for the Version of cyrus-imapd", "modified": "2018-01-10T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881403", "id": "OPENVAS:881403", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n \n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\";\n\ntag_affected = \"cyrus-imapd on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-June/017611.html\");\n script_id(881403);\n script_version(\"$Revision: 8352 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-10 08:01:57 +0100 (Wed, 10 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:46:33 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1926\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2011:0859\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of cyrus-imapd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-perl\", rpm:\"cyrus-imapd-perl~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:58:24", "bulletinFamily": "scanner", "description": "Check for the Version of cyrus-imapd", "modified": "2017-12-26T00:00:00", "published": "2012-07-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=881318", "id": "OPENVAS:881318", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n \n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\";\n\ntag_affected = \"cyrus-imapd on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-August/017674.html\");\n script_id(881318);\n script_version(\"$Revision: 8245 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-26 07:29:59 +0100 (Tue, 26 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:22:54 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1926\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2011:0859\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of cyrus-imapd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:1361412562310880536", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880536", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos5 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-June/017612.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880536\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2011:0859\");\n script_cve_id(\"CVE-2011-1926\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos5 i386\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cyrus-imapd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"cyrus-imapd on CentOS 5\");\n script_tag(name:\"insight\", value:\"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n\n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-perl\", rpm:\"cyrus-imapd-perl~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:34", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881403", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-June/017611.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881403\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:46:33 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1926\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2011:0859\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos5 x86_64\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cyrus-imapd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"cyrus-imapd on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n\n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-perl\", rpm:\"cyrus-imapd-perl~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.3.7~7.el5_6.4\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:55:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update to cyrus-imapd-2.2\nannounced via advisory DSA 2242-1.", "modified": "2017-07-07T00:00:00", "published": "2011-08-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=69740", "id": "OPENVAS:69740", "title": "Debian Security Advisory DSA 2242-1 (cyrus-imapd-2.2)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2242_1.nasl 6613 2017-07-07 12:08:40Z cfischer $\n# Description: Auto-generated from advisory DSA 2242-1 (cyrus-imapd-2.2)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the STARTTLS implementation of the Cyrus IMAP\nserver does not properly restrict I/O buffering, which allows\nman-in-the-middle attackers to insert commands into encrypted IMAP,\nLMTP, NNTP and POP3 sessions by sending a cleartext command that is\nprocessed after TLS is in place.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.2.13-14+lenny4.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.2.13-19+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.13p1-11 for cyrus-imapd-2.2 and in version 2.4.7-1\nfor cyrus-imapd-2.4.\n\nWe recommend that you upgrade your cyrus-imapd-2.2 packages.\";\ntag_summary = \"The remote host is missing an update to cyrus-imapd-2.2\nannounced via advisory DSA 2242-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202242-1\";\n\n\nif(description)\n{\n script_id(69740);\n script_version(\"$Revision: 6613 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:40 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-03 04:36:20 +0200 (Wed, 03 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1926\");\n script_name(\"Debian Security Advisory DSA 2242-1 (cyrus-imapd-2.2)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"2\", ver:\"2.2.13-14+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcyrus-imap-perl22\", ver:\"2.2.13-14+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"2\", ver:\"2.2.13-19+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcyrus-imap-perl22\", ver:\"2.2.13-19+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:40:03", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-06-20T00:00:00", "id": "OPENVAS:1361412562310863273", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863273", "title": "Fedora Update for cyrus-imapd FEDORA-2011-7217", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for cyrus-imapd FEDORA-2011-7217\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061374.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863273\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-20 08:37:08 +0200 (Mon, 20 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2011-7217\");\n script_cve_id(\"CVE-2011-1926\");\n script_name(\"Fedora Update for cyrus-imapd FEDORA-2011-7217\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cyrus-imapd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"cyrus-imapd on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.3.16~8.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-25T10:55:42", "bulletinFamily": "scanner", "description": "Check for the Version of cyrus-imapd", "modified": "2017-07-10T00:00:00", "published": "2011-08-18T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=880958", "id": "OPENVAS:880958", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos4 i386", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n \n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"cyrus-imapd on CentOS 4\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-August/017673.html\");\n script_id(880958);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-18 14:57:45 +0200 (Thu, 18 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2011:0859\");\n script_cve_id(\"CVE-2011-1926\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos4 i386\");\n\n script_summary(\"Check for the Version of cyrus-imapd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881318", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881318", "title": "CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-August/017674.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881318\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:22:54 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2011-1926\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"CESA\", value:\"2011:0859\");\n script_name(\"CentOS Update for cyrus-imapd CESA-2011:0859 centos4 x86_64\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'cyrus-imapd'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS4\");\n script_tag(name:\"affected\", value:\"cyrus-imapd on CentOS 4\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"The cyrus-imapd packages contain a high-performance mail server with IMAP,\n POP3, NNTP, and Sieve support.\n\n It was discovered that cyrus-imapd did not flush the received commands\n buffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\n sessions. A man-in-the-middle attacker could use this flaw to inject\n protocol commands into a victim's TLS session initialization messages. This\n could lead to those commands being processed by cyrus-imapd, potentially\n allowing the attacker to steal the victim's mail or authentication\n credentials. (CVE-2011-1926)\n\n Users of cyrus-imapd are advised to upgrade to these updated packages,\n which contain a backported patch to correct this issue. After installing\n the update, cyrus-imapd will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd\", rpm:\"cyrus-imapd~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-devel\", rpm:\"cyrus-imapd-devel~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-murder\", rpm:\"cyrus-imapd-murder~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-nntp\", rpm:\"cyrus-imapd-nntp~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"cyrus-imapd-utils\", rpm:\"cyrus-imapd-utils~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perl-Cyrus\", rpm:\"perl-Cyrus~2.2.12~15.el4_8\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:40", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2011:100\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n\r\n Package : cyrus-imapd\r\n Date : May 24, 2011\r\n Affected: 2009.0, 2010.1, Corporate 4.0, Enterprise Server 5.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n A vulnerability has been identified and fixed in cyrus-imapd:\r\n \r\n The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does\r\n not properly restrict I/O buffering, which allows man-in-the-middle\r\n attackers to insert commands into encrypted sessions by sending a\r\n cleartext command that is processed after TLS is in place, related to\r\n a plaintext command injection attack, a similar issue to CVE-2011-0411\r\n (CVE-2011-1926).\r\n \r\n Packages for 2009.0 are provided as of the Extended Maintenance\r\n Program. Please visit this link to learn more:\r\n http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490\r\n \r\n The updated packages have been patched to correct this issue.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1926\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Linux 2009.0:\r\n 498d5b68bb40c8f647ee02665beb3646 2009.0/i586/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.i586.rpm\r\n 52718b5cd0166f62fa15bf6f4ec65d56 \r\n2009.0/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.i586.rpm\r\n 34e7b7a7cd5f7cad2dc6e068164b0fdc \r\n2009.0/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.i586.rpm\r\n 33e98b4e6bcf6ce9dd16e44b0ca75701 \r\n2009.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.i586.rpm\r\n 9a3803b65facdf6f35b6d9056ce79a47 \r\n2009.0/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.i586.rpm\r\n 37252ed6cfb44699178c1beef4db9e9b 2009.0/i586/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.i586.rpm \r\n 6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm\r\n\r\n Mandriva Linux 2009.0/X86_64:\r\n 9c80de09df788a63bcaff8dbac7ae51e \r\n2009.0/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm\r\n 83839c1d5e23260b3b9568f67d9263bb \r\n2009.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm\r\n 7eba11d541e46f84274455f4e2e73783 \r\n2009.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm\r\n 6dd7cba369978b229826fbadb52c6281 \r\n2009.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm\r\n 55d2a884babf37537c0893410be5999e \r\n2009.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm\r\n c517ce121ead39692cbc5d3e6d0bd035 \r\n2009.0/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdv2009.0.x86_64.rpm \r\n 6f396249a59b1f73d015102ce85b70ed 2009.0/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdv2009.0.src.rpm\r\n\r\n Mandriva Linux 2010.1:\r\n a1424b6d2116c8d04ddf599d47d0066c 2010.1/i586/cyrus-imapd-2.3.15-10.2mdv2010.2.i586.rpm\r\n 979e2a7916c2169592188d798fc9afc3 2010.1/i586/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.i586.rpm\r\n d8220c9ae8b12aba911d1ca3c1d8d9bc 2010.1/i586/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.i586.rpm\r\n da26c65b19ea37a05423367287914a1d 2010.1/i586/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.i586.rpm\r\n bd15ad1797b25046fa1f5fc6223041a3 2010.1/i586/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.i586.rpm\r\n 202641315ef7e281b0ac9d49b41dc5b2 2010.1/i586/perl-Cyrus-2.3.15-10.2mdv2010.2.i586.rpm \r\n 907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm\r\n\r\n Mandriva Linux 2010.1/X86_64:\r\n 98084c7318761c7e716c9704b41599df 2010.1/x86_64/cyrus-imapd-2.3.15-10.2mdv2010.2.x86_64.rpm\r\n fe1845c0fb1f518b7b4589e59eb522dd \r\n2010.1/x86_64/cyrus-imapd-devel-2.3.15-10.2mdv2010.2.x86_64.rpm\r\n ff61a5b78885d513be547c5d3abe5e5b \r\n2010.1/x86_64/cyrus-imapd-murder-2.3.15-10.2mdv2010.2.x86_64.rpm\r\n 8b77e0f150e904d529c9742ee6531619 \r\n2010.1/x86_64/cyrus-imapd-nntp-2.3.15-10.2mdv2010.2.x86_64.rpm\r\n 2c51ef5a91da31245b8b12dcbdd1af84 \r\n2010.1/x86_64/cyrus-imapd-utils-2.3.15-10.2mdv2010.2.x86_64.rpm\r\n b26c3480fa743eef4a9241b1be75cf91 2010.1/x86_64/perl-Cyrus-2.3.15-10.2mdv2010.2.x86_64.rpm \r\n 907ddfe3b1ca22885fd437edc7f38a54 2010.1/SRPMS/cyrus-imapd-2.3.15-10.2mdv2010.2.src.rpm\r\n\r\n Corporate 4.0:\r\n 45c23a293396522a89503b10a8f5db1f \r\ncorporate/4.0/i586/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm\r\n 91eb948568050fabe11c6eb55b90a26e \r\ncorporate/4.0/i586/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm\r\n 5a8b99fe60f67a158a1610cfb85fdc79 \r\ncorporate/4.0/i586/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm\r\n 87eeee87f8777f16f210c8364f107ba0 \r\ncorporate/4.0/i586/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm\r\n 0b802cff2c75731783dde8bafde043ee \r\ncorporate/4.0/i586/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm\r\n d27c5d8a57ea4adcf29c252c74a95720 \r\ncorporate/4.0/i586/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.i586.rpm \r\n ade0c37e3e36d2504f9700cd94f2dc74 \r\ncorporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm\r\n\r\n Corporate 4.0/X86_64:\r\n 1f5cae7f38de7492414d31226ba2676e \r\ncorporate/4.0/x86_64/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm\r\n 21189c14023ad6edcf7433a0932caf59 \r\ncorporate/4.0/x86_64/cyrus-imapd-devel-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm\r\n c862cf5ed064b9bb28523d87f1077920 \r\ncorporate/4.0/x86_64/cyrus-imapd-murder-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm\r\n d501b94549efb93571eef10f352fd795 \r\ncorporate/4.0/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm\r\n 9aa31a3991d96607132fec6250501fa4 \r\ncorporate/4.0/x86_64/cyrus-imapd-utils-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm\r\n b29f43dbabf91ad0373da71e5c2def91 \r\ncorporate/4.0/x86_64/perl-Cyrus-2.3.12-0.p2.3.3.20060mlcs4.x86_64.rpm \r\n ade0c37e3e36d2504f9700cd94f2dc74 \r\ncorporate/4.0/SRPMS/cyrus-imapd-2.3.12-0.p2.3.3.20060mlcs4.src.rpm\r\n\r\n Mandriva Enterprise Server 5:\r\n 44ccd362ff4536d279c6bc766fdde321 mes5/i586/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm\r\n dad6eac600091c4da1d8faebfa1e82b8 \r\nmes5/i586/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm\r\n 3fece92c479e94610d82c590530af616 \r\nmes5/i586/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm\r\n c3d98ddbedac750bf27eec165c5b5902 mes5/i586/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm\r\n 3275d942a0be02ca5c5810e181dcd518 \r\nmes5/i586/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm\r\n 9b75bc3f9437bd461e8ad8e057be1f39 mes5/i586/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.i586.rpm \r\n 797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm\r\n\r\n Mandriva Enterprise Server 5/X86_64:\r\n 64262442694df3a279c20ff7fbcc2588 mes5/x86_64/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm\r\n f638482001851e8356435b9cdca935d8 \r\nmes5/x86_64/cyrus-imapd-devel-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm\r\n f8039806879ebd5dc67b3bf5640b82a5 \r\nmes5/x86_64/cyrus-imapd-murder-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm\r\n 3f746817849822daf1271b5357d5fe84 \r\nmes5/x86_64/cyrus-imapd-nntp-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm\r\n ea74bb4cd9bb9734ffd16f30fe77fb0d \r\nmes5/x86_64/cyrus-imapd-utils-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm\r\n 1a21b438502b53ce5121608a2e95450e mes5/x86_64/perl-Cyrus-2.3.12-0.p2.4.2mdvmes5.2.x86_64.rpm \r\n 797d5d4a98b15d89a16b60b13a9782fc mes5/SRPMS/cyrus-imapd-2.3.12-0.p2.4.2mdvmes5.2.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niD8DBQFN23yjmqjQ0CJFipgRAofTAKCbzecv2sfr6Sed19e3ToSx9i6gtQCgg6/B\r\n10VNAxDouhTji/NBIie0PVc=\r\n=6jGs\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2011-05-25T00:00:00", "published": "2011-05-25T00:00:00", "id": "SECURITYVULNS:DOC:26393", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26393", "title": "[ MDVSA-2011:100 ] cyrus-imapd", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "Atacker can inject cleartext commands before TLS phase.", "modified": "2012-10-04T00:00:00", "published": "2012-10-04T00:00:00", "id": "SECURITYVULNS:VULN:11492", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11492", "title": "STARTTLS vulnerability in different mail applications", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "This is a writeup about a flaw that I found recently, and that\r\nexisted in multiple implementations of SMTP (Simple Mail Transfer\r\nProtocol) over TLS (Transport Layer Security) including my Postfix\r\nopen source mailserver. I give an overview of the problem and its\r\nimpact, how to find out if a server is affected, fixes, and draw\r\nlessons about where we can expect similar problems. A time line\r\nis at the end.\r\n\r\nFor further reading:\r\nhttp://www.kb.cert.org/vuls/id/555316 \r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411\r\nhttp://www.postfix.org/CVE-2011-0411.html (extended writeup)\r\n\r\n Wietse\r\n\r\nProblem overview and impact\r\n===========================\r\n\r\nThe TLS protocol encrypts communication and protects it against\r\nmodification by other parties. This protection exists only if a)\r\nsoftware is free of flaws, and b) clients verify the server's TLS\r\ncertificate, so that there can be no "man in the middle" (servers\r\nusually don't verify client certificates).\r\n\r\nThe problem discussed in this writeup is caused by a software flaw.\r\nThe flaw allows an attacker to inject client commands into an SMTP\r\nsession during the unprotected plaintext SMTP protocol phase (more\r\non that below), such that the server will execute those commands\r\nduring the SMTP-over-TLS protocol phase when all communication is\r\nsupposed to be protected.\r\n\r\nThe injected commands could be used to steal the victim's email or\r\nSASL (Simple Authentication and Security Layer) username and password.\r\n\r\nThis is not as big a problem as it may appear to be. The reason\r\nis that many SMTP client applications don't verify server TLS\r\ncertificates. These SMTP clients are always vulnerable to command\r\ninjection and other attacks. Their TLS sessions are only encrypted\r\nbut not protected.\r\n\r\nA similar plaintext injection flaw may exist in the way SMTP clients\r\nhandle SMTP-over-TLS server responses, but its impact is less\r\ninteresting than the server-side flaw.\r\n\r\nSMTP is not the only protocol with a mid-session switch from plaintext\r\nto TLS. Other examples are POP3, IMAP, NNTP and FTP. Implementations\r\nof these protocols may be affected by the same flaw as discussed here.\r\n\r\nDemonstration\r\n=============\r\n\r\nThe problem is easy to demonstrate with a one-line change to the\r\nOpenSSL s_client command source code (I would prefer scripting, but\r\nhaving to install Perl CPAN modules and all their dependencies is\r\nmore work than downloading a .tar.gz file from openssl.org, adding\r\neight characters to one line, and doing "./config; make").\r\n\r\nThe OpenSSL s_client command can make a connection to servers that\r\nsupport straight TLS, SMTP over TLS, or a handful other protocols\r\nover TLS. The demonstration with SMTP over TLS involves a one-line\r\nchange in the OpenSSL s_client source code (with OpenSSL 1.0.0, at\r\nline 1129 of file apps/s_client.c).\r\n\r\nOld: BIO_printf(sbio,"STARTTLS\r\n");\r\nNew: BIO_printf(sbio,"STARTTLS\r\nRSET\r\n");\r\n\r\nWith this change, the s_client command sends the plaintext STARTTLS\r\ncommand ("let's turn on TLS") immediately followed by an RSET command\r\n(a relatively harmless protocol "reset"). Both commands are sent\r\nas plaintext in the same TCP/IP packet, and arrive together at the\r\nserver. The "\r\n" are the carriage-return and newline characters;\r\nthese are necessary to terminate an SMTP command.\r\n\r\nWhen an SMTP server has the plaintext injection flaw, it reads the\r\nSTARTTLS command first, switches to SMTP-over-TLS mode, and only\r\nthen the server reads the RSET command. Note, the RSET command was\r\ntransmitted during the plaintext SMTP phase when there is no\r\nprotection, but the server reads the command as if it was received\r\nover the TLS-protected channel.\r\n\r\nThus, when the SMTP server has the flaw, the s_client command output\r\nwill show two "250" SMTP server responses instead of one. The first\r\n"250" response is normal, and is present even when the server is\r\nnot flawed. The second "250" response is for the RSET command, and\r\nindicates that the SMTP server has the plaintext injection flaw.\r\n\r\n $ apps/openssl s_client -quiet -starttls smtp -connect server:port\r\n [some server TLS certificate details omitted]\r\n 250 some text here <=== Normal response, also with "good" server.\r\n 250 more text here <=== RSET response, only with flawed server.\r\n\r\nAnatomy of the flaw: it's all about the plumbing\r\n================================================\r\n\r\nWhether a program may have the plaintext injection flaw depends on\r\nhow it adjusts the plumbing, as it inserts the TLS protocol layer\r\nin-between the SMTP protocol layer and the O/S TCP/IP protocol\r\nlayer. I illustrate this with examples from three open source MTAs:\r\nPostfix, Sendmail and Exim. The diagram below is best viewed with\r\na fixed-width font, for example, from the Courier family.\r\n\r\n Postfix MTA Sendmail MTA Exim MTA\r\n before/after before/after before/after\r\n switch to TLS switch to TLS switch to TLS\r\n\r\n SMTP SMTP SMTP SMTP SMTP SMTP <= SMTP layer\r\n || || || || || ||\r\n stream stream stream stream' || ||\r\n buffers buffers buffers buffers' rw r'w' <= stream layer\r\n rw r'w' rw r'w' || ||\r\n || || || || || ||\r\n || TLS || TLS || TLS <= TLS layer\r\n || || || || || ||\r\n O/S O/S O/S O/S O/S O/S <= TCP/IP layer\r\n\r\nAs shown in the diagram, both Postfix and Sendmail use an application-\r\nlevel stream abstraction, where each stream has properties such as\r\nread/write buffers, read/write functions (indicated with rw), and\r\nother properties that are omitted for brevity.\r\n\r\nWhen Postfix switches to SMTP over TLS, it replaces the plaintext\r\nread/write functions (rw) with the TLS read/write functions (r'w').\r\nPostfix does not modify any of the other stream properties including\r\nthe read/write buffers. A patch for qmail that introduces TLS\r\nsupport uses the same approach. This approach of replacing only\r\nthe stream read/write functions, but not the buffers or other stream\r\nproperties, can introduce the plaintext injection flaw.\r\n\r\nWhen Sendmail switches to SMTP over TLS, it replaces the entire\r\nstream, along with its read/write buffers and read/write functions.\r\nExim, on the other hand, does not seem to have a stream abstraction\r\nlike Postfix, Sendmail or qmail. Instead of replacing streams or\r\nstream properties, Exim replaces plaintext read/write functions\r\nwith TLS read/write functions. Because of their program structure,\r\nSendmail and Exim didn't suffer from the plaintext injection flaw.\r\n\r\nFixing the problem\r\n==================\r\n\r\nThere are two solutions to address the flaw, and both solutions can\r\nbe used together.\r\n\r\n- Report an error when unexpected plaintext is received after the\r\n STARTTLS command. As documented in RFC 3207, STARTTLS must be\r\n the last command in a pipelined group. If plaintext commands are\r\n received after STARTTLS, then that is a protocol violation. \r\n\r\n This measure can also be implemented outside the MTA, for example\r\n in a protocol-aware firewall.\r\n\r\n- If a program uses the same input buffer before and after the\r\n switch to TLS, it should discard the contents of the input buffer,\r\n just like it discards SMTP protocol information that it received\r\n during the plaintext protocol phase.\r\n\r\nConclusion\r\n==========\r\n\r\nThis plaintext injection problem is likely to recur when some\r\ndevelopment moves the plaintext-to-ciphertext switch outside the\r\napplication: for example, into the kernel, into the local hardware,\r\ninto a proxy, or into other infrastructure. This encourages\r\napplications to use the same application-level streams and buffers\r\nand read/write functions before and after the switch to ciphertext.\r\nWhen this migration happens, plaintext injection becomes once more\r\na possibility.\r\n\r\nTime line\r\n=========\r\n\r\nJan 5 2011: While finishing Postfix for its annual release, I found\r\nand fixed this flaw in the SMTP server and client implementations,\r\nwhere it had been sitting ever since TLS support was adopted.\r\n\r\nJan 6-10 2011: As we investigated the scope of the problem, Victor\r\nDuchovni (co-developer) discovered that other implementations were\r\nalso affected including security providers and security appliances.\r\n\r\nJan 11 2011: Contact CERT/CC to help coordinate with the problem's\r\nresolution.\r\n\r\nMar 7 2011: Public announcement, and Postfix legacy release updates.", "modified": "2011-03-10T00:00:00", "published": "2011-03-10T00:00:00", "id": "SECURITYVULNS:DOC:25899", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25899", "title": "Plaintext injection in STARTTLS (multiple implementations)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-05-29T18:34:13", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2011:0859\n\n\nThe cyrus-imapd packages contain a high-performance mail server with IMAP,\nPOP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands\nbuffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\nsessions. A man-in-the-middle attacker could use this flaw to inject\nprotocol commands into a victim's TLS session initialization messages. This\ncould lead to those commands being processed by cyrus-imapd, potentially\nallowing the attacker to steal the victim's mail or authentication\ncredentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After installing\nthe update, cyrus-imapd will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-August/017673.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-August/017674.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-June/017611.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-June/017612.html\n\n**Affected packages:**\ncyrus-imapd\ncyrus-imapd-devel\ncyrus-imapd-murder\ncyrus-imapd-nntp\ncyrus-imapd-perl\ncyrus-imapd-utils\nperl-Cyrus\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-0859.html", "modified": "2011-08-14T17:20:30", "published": "2011-06-08T16:42:26", "href": "http://lists.centos.org/pipermail/centos-announce/2011-June/017611.html", "id": "CESA-2011:0859", "title": "cyrus, perl security update", "type": "centos", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:23:04", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2257-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nJune 11, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : kolab-cyrus-imapd\nVulnerability : implementation error\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-1926\nDebian Bug : 629350\n\nIt was discovered that the STARTTLS implementation of the \nKolab Cyrus IMAP server does not properly restrict I/O buffering,\nwhich allows man-in-the-middle attackers to insert commands into encrypted\nIMAP, LMTP, NNTP and POP3 sessions by sending a cleartext command that is \nprocessed after TLS is in place.\n\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.2.13-5+lenny3.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.2.13-9.1.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 2.2.13p1-0.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.13p1-0.1.\n\nWe recommend that you upgrade your kolab-cyrus-imapd packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n", "modified": "2011-06-11T16:51:31", "published": "2011-06-11T16:51:31", "id": "DEBIAN:DSA-2258-1:631EF", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00128.html", "title": "[SECURITY] [DSA 2258-1] kolab-cyrus-imapd security update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:59", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2242-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nMay 25, 2011 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : cyrus-imapd-2.2\nVulnerability : implementation error\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-1926 \nDebian Bug : 627081\n\nIt was discovered that the STARTTLS implementation of the Cyrus IMAP \nserver does not properly restrict I/O buffering, which allows \nman-in-the-middle attackers to insert commands into encrypted IMAP, \nLMTP, NNTP and POP3 sessions by sending a cleartext command that is \nprocessed after TLS is in place.\n\nFor the oldstable distribution (lenny), this problem has been fixed in\nversion 2.2.13-14+lenny4.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.2.13-19+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.2.13p1-11 for cyrus-imapd-2.2 and in version 2.4.7-1\nfor cyrus-imapd-2.4.\n\nWe recommend that you upgrade your cyrus-imapd-2.2 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2011-05-25T20:12:08", "published": "2011-05-25T20:12:08", "id": "DEBIAN:DSA-2242-1:A19E9", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2011/msg00112.html", "title": "[SECURITY] [DSA 2242-1] cyrus-imapd-2.2 security update", "type": "debian", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:45:50", "bulletinFamily": "unix", "description": "The cyrus-imapd packages contain a high-performance mail server with IMAP,\nPOP3, NNTP, and Sieve support.\n\nIt was discovered that cyrus-imapd did not flush the received commands\nbuffer after switching to TLS encryption for IMAP, LMTP, NNTP, and POP3\nsessions. A man-in-the-middle attacker could use this flaw to inject\nprotocol commands into a victim's TLS session initialization messages. This\ncould lead to those commands being processed by cyrus-imapd, potentially\nallowing the attacker to steal the victim's mail or authentication\ncredentials. (CVE-2011-1926)\n\nUsers of cyrus-imapd are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. After installing\nthe update, cyrus-imapd will be restarted automatically.\n", "modified": "2018-06-06T20:24:29", "published": "2011-06-08T04:00:00", "id": "RHSA-2011:0859", "href": "https://access.redhat.com/errata/RHSA-2011:0859", "type": "redhat", "title": "(RHSA-2011:0859) Moderate: cyrus-imapd security update", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:21", "bulletinFamily": "unix", "description": "Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),\nand TLS.\n\nIt was discovered that Postfix did not flush the received SMTP commands\nbuffer after switching to TLS encryption for an SMTP session. A\nman-in-the-middle attacker could use this flaw to inject SMTP commands into\na victim's session during the plain text phase. This would lead to those\ncommands being processed by Postfix after TLS encryption is enabled,\npossibly allowing the attacker to steal the victim's mail or authentication\ncredentials. (CVE-2011-0411)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2011-0411. The\nCERT/CC acknowledges Wietse Venema as the original reporter.\n\nUsers of Postfix are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing this\nupdate, the postfix service will be restarted automatically.\n", "modified": "2018-06-06T20:24:37", "published": "2011-04-06T04:00:00", "id": "RHSA-2011:0423", "href": "https://access.redhat.com/errata/RHSA-2011:0423", "type": "redhat", "title": "(RHSA-2011:0423) Moderate: postfix security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:03", "bulletinFamily": "unix", "description": "[2.3.16-6.2]\n- do not use strict aliasing\n[2.3.16-6.1]\n- fix CVE-2011-1926: STARTTLS plaintext command injection vulnerability", "modified": "2011-06-08T00:00:00", "published": "2011-06-08T00:00:00", "id": "ELSA-2011-0859", "href": "http://linux.oracle.com/errata/ELSA-2011-0859.html", "title": "cyrus-imapd security update", "type": "oraclelinux", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "unix", "description": "[2:2.6.6-2.1]\n- fix CVE-2011-0411 (#682978)", "modified": "2011-04-06T00:00:00", "published": "2011-04-06T00:00:00", "id": "ELSA-2011-0423", "href": "http://linux.oracle.com/errata/ELSA-2011-0423.html", "title": "postfix security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:00", "bulletinFamily": "unix", "description": "\nWietse Venema has discovered a software flaw that allows\n\t an attacker to inject client commands into an SMTP session\n\t during the unprotected plaintext SMTP protocol phase, such\n\t that the server will execute those commands during the SMTP-\n\t over-TLS protocol phase when all communication is supposed\n\t to be protected.\n", "modified": "2011-03-07T00:00:00", "published": "2011-03-07T00:00:00", "id": "14A6F516-502F-11E0-B448-BBFA2731F9C7", "href": "https://vuxml.freebsd.org/freebsd/14a6f516-502f-11e0-b448-bbfa2731f9c7.html", "title": "postfix -- plaintext command injection with SMTP over TLS", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
