Merit Joint Technical Staff
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
CERT Advisory CA-98.09 - imapd
- From: Jeff Ogden
- Date: Mon Jul 20 17:12:07 1998
Please pass this information on to system administrators at your organization.
-Jeff Ogden
Merit
>Date: Mon, 20 Jul 1998 14:27:42 -0400
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@coal.cert.org
>Subject: CERT Advisory CA-98.09 - imapd
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-98.09
>Original issue date: July 20, 1998
>
>Topic: Buffer Overflow in Some Implementations of IMAP Servers
>
>- -------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports regarding a vulnerability
>in some implementations of IMAP servers.
>
>The CERT/CC recommends that anyone running a vulnerable version of this
>software upgrade to the current vendor-recommended version. Until you can do
>so, we suggest disabling the vulnerable IMAP server.
>
>We will update this advisory as we receive additional information. We
>encourage you to check our web site regularly for updates to this advisory
>that may relate to your site.
>
>- -------------------------------------------------------------------------
>
>I. Description
>
>The CERT Coordination Center has received reports regarding a buffer
>overflow in some implementations of IMAP servers. The overflow is in library
>code from the University of Washington IMAP server that handles SASL
>server-level authentication. This vulnerability is different from the one
>discussed in CERT Advisory CA-97.09.imap_pop. Information about this
>vulnerability has been posted to various public mailing lists and
>newsgroups.
>
>All versions of the University of Washington IMAP server prior to the final
>(frozen, non-beta) version of imap-4.1 that support SASL server-level
>authentication are vulnerable. The vulnerability affects all University of
>Washington IMAP4rev1 servers prior to v10.234. Also, any v10.234 server that
>was distributed with Pine 4.0 or any imap-4.1.BETA is vulnerable.
>
>Additionally, the vulnerability is present in other IMAP servers that use
>library code from the University of Washington IMAP server to handle SASL
>server-level authentication.
>
>IMAP servers that share no code with the University of Washington server are
>not vulnerable.
>
>Some operating systems ship with a vulnerable version of this software
>installed and enabled by default. Please refer to the Vendor Information
>section below for more information about your vendor.
>
>II. Impact
>
>Remote intruders can execute arbitrary commands under the privileges of the
>process running the vulnerable IMAP server. If the vulnerable IMAP server is
>running as root, remote intruders can gain root access.
>
>III. Solution
>
> A. Determine if your version of imapd is vulnerable
>
> To determine if a system is vulnerable, first telnet to port 143 on
> that host. If it is running an IMAP server, the banner will show the
> version. For example:
>
> % telnet host.your.domain.com 143
> Trying 123.123.123.123...
> Connected to host.
> Escape character is '^]'.
> * OK host.your.domain.com IMAP4rev1 v10.190 server ready
>
> In the above example, the IMAP server is the University of Washington
> IMAP4rev1 v10.190. Since all University of Washington IMAP4rev1 servers
> prior to v10.234 are vulnerable, the server in the above example is
> vulnerable.
>
> Please consult the Vendor Information section below for information
> about other vulnerable IMAP servers.
>
> B. Install the most recent version of imapd
>
> Obtain and install the most recent version, or patch for your IMAP
> server. Appendix A contains input from vendors who have provided
> information for this advisory.
>
> C. Workaround
>
> If you are unable to upgrade to a version that is not vulnerable, we
> urge you to disable the IMAP server until you are able to address the
> problem.
>
>- -------------------------------------------------------------------------
>
>Appendix A - Vendor Information
>
>Below is a list of the vendors who have provided information for this
>advisory. We will update this appendix as we receive additional information.
>If you do not see your vendor's name, the CERT/CC did not hear from that
>vendor. Please contact the vendor directly.
>
>- -------------------------------------------------------------------------
>
>IMAP Server Vendors
>
>Cyrus
>
> This does not affect the Cyrus imapd. Cyrus imapd shares no code with
> the University of Washington imapd.
>
>Esys Corporation
>
> We are not affected by the problem described in the advisory. We do not
> ship any University of Washington based software at this time. We have
> never shipped any of the IMAP 4.x software from the University of
> Washington.
>
>NEC Corporation
>
> The University of Washington imapd is shipped with our product
> "Mobilenet/IMAP" and so it is vulnerable.
>
>Netscape
>
> Netscape Messaging Server 3.55 and before are susceptible to this
> vulnerability. However, it should be noted that Netscape Messaging
> Server (any version) does NOT run as root and therefore, the exposure
> is much more limited than the University of Washington example.
> Regardless, we have released a patch available at
> http://help.netscape.com/products/server/messaging which
> addresses this vulnerability.
>
>Sun Microsystems
>
> Sun Microsystems is working on patches for Solstice Internet Mail Server
> product versions 2.0, 3.1 and 3.2.
>
>University of Washington
>
> A security problem has been detected with the University of Washington
> IMAP server that is included in the Pine 4.00 distribution. This will
> be fixed in the forthcoming Pine 4.01 maintenance release. Until then,
> if you are using the UW IMAP server, please update it with the
> following distribution:
>
> ftp://ftp.cac.washington.edu/mail/imap.tar.Z
>
> This vulnerability affects all IMAP4rev1 servers prior to
> v10.234. v10.234 may or may not be vulnerable; if it came from Pine
> 4.00 or from any imap-4.1.BETA then it is vulnerable. IMAP2bis
> servers are immune. This problem is also fixed in the imap-4.2
> toolkit, which is tentatively expected to be released in
> conjunction with Pine 4.01. Any IMAP4rev1 server whose version
> starts with "v11" will be immune.
>
>- -------------------------------------------------------------------------
>
>Operating System Vendors
>
>Berkeley Software Design, Inc.
>
> The version of IMAP shipped with BSD/OS 2.1 and 3.0/3.1 is the older
> version which does not include the vulnerability.
>
> The version of IMAP which will be included in the upcoming 4.0 release
> has been updated to include the security fixes.
>
>Caldera Linux
>
> Caldera: releasing patched imap-4.1; will release imap-4.2 as soon as
> it becomes available.
>
> URL: ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010
>
> 6df741b4217f03bf773b54509a7d283a imap-4.1.BETA-5.i386.rpm
> d3526121c68b611524fc72746204d752 imap-4.1.BETA-5.src.rpm
>
>Compaq Computer Corporation
>
> (c) Copyright 1994, 1995, 1996, 1997, 1998 Compaq Computer Corporation.
> All rights reserved.
>
> SOURCE: Compaq Computer Corporation
> Compaq Services
> Software Security Response Team USA
>
> This reported problem is not present for the as shipped,
> Compaq's Digital ULTRIX or Compaq's Digital UNIX
> Operating Systems Software.
>
>
> - Compaq Computer Corporation
>
>Data General
>
> We are investigating. We will provide an update when our
> investigation is complete.
>
>FreeBSD
>
> FreeBSD does not ship default with imap. However, there is a version
> of imapd from Washington University in the FreeBSD ports collections,
> known as imap-uw.
>
> If anyone is using the imap port, we suggest fetching the latest revision
> of imap and manually install it, or wait until the FreeBSD port is updated
> and reinstall imap-uw using the ports system.
>
> You can check the ports status at:
> http://www.freebsd.org/ports/mail.html
>
>Fujitsu
>
> Our operating system, UXP/V, does not support imapd. Therefore, it is
> not vulnerable to the above vulnerability.
>
>Hewlett-Packard Company
>
> HP does not ship the University of Washington IMAP server.
>
>IBM Corporation
>
> The version of imapd shipped with AIX 4.2 and 4.3 is vulnerable. We
> are currently working on the following fixes which will be available
> soon:
>
> AIX 3.2.x: imapd not shipped (not vulnerable)
> AIX 4.1.x: imapd not shipped (not vulnerable)
> AIX 4.2.x: IX80446
> AIX 4.3.x: IX80447
>
> To Order
> --------
> APARs may be ordered using Electronic Fix Distribution (via FixDist)
> or from the IBM Support Center. For more information on FixDist,
> reference URL:
>
> http://aix.software.ibm.com/aix.us/swfixes/
>
> or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".
>
> IBM and AIX are registered trademarks of International Business Machines
> Corporation.
>
>NetBSD
>
> NetBSD does not ship the UW imapd daemon in its standard or development
> operating system releases. Our optional package system also does not
> include it at this time.
>
>OpenBSD
>
> OpenBSD has never shipped an imap daemon.
>
>Red Hat Linux
>
> Serious security problems have been found in all versions of imap shipped
> with Red Hat Linux. If "rpm -q imap" shows that imap is installed on
> your system, please upgrade to these new imap releases immediately, or
> remove imap by running "rpm -e imap". Note that Red Hat's imap package
> also provides a POP server, so only remove it if you don't need to provide
> POP services.
>
> Thanks to everyone who helped find these problems, Olaf Kirch in particular.
>
> Red Hat 5.0 and 5.1
> -------------------
>
> i386:
> rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/imap-4.1.final-1.i386.rpm
>
> alpha:
> rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/imap-4.1.final-1.alpha.rpm
>
> SPARC:
> rpm -Uvh ftp://ftp.redhat.com/updates/5.0/sparc/imap-4.1.final-1.sparc.rpm
>
> Red Hat 4.2
> -----------
>
> i386:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/imap-4.1.final-0.i386.rpm
>
> alpha:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/imap-4.1.final-0.alpha.rpm
>
> SPARC:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/imap-4.1.final-0.sparc.rpm
>
>
>The Santa Cruz Operation, Inc.
>
> The following SCO products are vulnerable:
>
> - SCO UnixWare 7
>
> SCO OpenServer 5.0, SCO CMW+ 3.0, SCO Open Desktop/Open Server 3.0, and
> UnixWare 2.1 is not vulnerable as University of Washington imapd is not
> included in these platforms.
>
> Binary versions of University of Washington imapd will be available
> shortly from the SCO ftp site:
>
> ftp://ftp.sco.com/SSE/sse014.ltr - cover letter
> ftp://ftp.sco.com/SSE/sse014.tar.Z - replacement binaries
>
> This fix is a binary for the following SCO operating systems:
>
> - SCO UnixWare 7
>
> For the latest security bulletins and patches for SCO products,
> please refer to http://www.sco.com/security/.
>
>- -------------------------------------------------------------------------
>The CERT Coordination Center thanks Olaf Kirch of Caldera Linux for
>discovering and reporting the vulnerability. Additionally, we would like to
>thank Mark Crispin and Lori Stevens of the University of Washington for
>providing technical details and support in the development of the advisory.
>
>- -------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see http://www.first.org/team-info/)
>
>CERT/CC Contact Information
>
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
>
>CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call
>for emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address:
>
>CERT Coordination Center
>Software Engineering Institute
>Carnegie Mellon University
>Pittsburgh PA 15213-3890
>USA
>
>Using encryption
>
>We strongly urge you to encrypt sensitive information sent by email. We can
>support a shared DES key or PGP. Contact the CERT/CC for more information.
>
>Location of CERT PGP key
>
>ftp://ftp.cert.org/pub/CERT_PGP.key
>
>Getting security information
>
>CERT publications and other security information are available from
>
>http://www.cert.org/
>ftp://ftp.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
>comp.security.announce
>To be added to our mailing list for advisories and bulletins, send email to
>
>cert-advisory-request@cert.org
>
>In the subject line, type
>
>SUBSCRIBE your-email-address
>
>- -------------------------------------------------------------------------
>
>Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
>and sponsorship information can be found in
>http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff.
>If you do not have FTP or web access, send mail to cert@cert.org with
>"copyright" in the subject line.
>
>*CERT is registered in the U.S. Patent and Trademark Office.
>
>- -------------------------------------------------------------------------
>
>The authoritative version of this file is at:
> http://www.cert.org/advisories/CA-98.09.imapd.html
>
>A text only version of this file is at:
> ftp://ftp.cert.org/pub/cert_advisories/CA-98.09.imapd.html
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBNbNmw3VP+x0t4w7BAQFGUgP/cPh+D8NWx/QbIcbtwyeslSIxWB1Ac9al
>TCO+idDFZ7OqIzJimJLRKeKMCgw/A7SdJ8pEMRp+N99jpi4u0ifZtrfE8/tWQBH6
>f2aK7j9ionu8xUtBvbHNgwzHJ+ZS8uOP7wp362kh42fRi7sChOgZ0Cbho1bULlsz
>+Tt/2ezpi1U=
>=k16W
>-----END PGP SIGNATURE-----
>
|
