UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
|
|
SecurityTracker Alert ID: 1013037 |
|
SecurityTracker URL: http://securitytracker.com/id/1013037
|
|
CVE Reference:
CAN-2005-0198
(Links to External Site)
|
Updated: Feb 24 2005
|
Original Entry Date: Jan 28 2005
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 2004b
|
Description:
A vulnerability was reported in the University of Washington IMAP server. A remote user can access e-mail accounts when the system uses a certain authentication mechanism.
US-CERT reported that Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) code contains a logic error that may allow a remote user to authenticate as any target user and access the target user's IMAP account.
CRAM-MD5 authentication is not a default configuration.
|
Impact:
A remote user can gain access to a target user's IMAP account.
|
Solution:
The vendor has issued the following fix:
ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
|
Vendor URL: www.washington.edu/imap/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 28 Jan 2005 09:51:39 -0500
Subject: http://www.kb.cert.org/vuls/id/CRDY-68QSL5
|
US-CERT reported that the University of Washington IMAP server's
Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) code contains a logic
error that may allow a remote user to authenticate as any target user.
CRAM-MD5 authentication is not a default configuration.
The vendor has issued the following fix:
ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
|
|
