UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
|
|
SecurityTracker Alert ID: 1013037
|
|
SecurityTracker URL: http://securitytracker.com/id?1013037
|
|
CVE Reference: CAN-2005-0198
(Links to External Site)
|
Updated: Feb 24 2005
|
Original Entry Date: Jan 28 2005
|
Impact: User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2004b
|
Description: A vulnerability was reported in the University of Washington IMAP server. A remote user can access e-mail accounts when the system uses a certain authentication mechanism.
US-CERT reported that Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) code contains a logic error that may allow
a remote user to authenticate as any target user and access the target user's IMAP account.
CRAM-MD5 authentication is not a
default configuration.
|
Impact: A remote user can gain access to a target user's IMAP account.
|
Solution: The vendor has issued the following fix:
ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
|
Vendor URL: www.washington.edu/imap/ (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 28 Jan 2005 09:51:39 -0500
Subject: http://www.kb.cert.org/vuls/id/CRDY-68QSL5
|
US-CERT reported that the University of Washington IMAP server's
Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) code contains a logic
error that may allow a remote user to authenticate as any target user.
CRAM-MD5 authentication is not a default configuration.
The vendor has issued the following fix:
ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
|
|
