SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Cyrus IMAP Server Vendors:   Carnegie Mellon University
(Conectiva Issues Fix) Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012371
SecurityTracker URL:  http://securitytracker.com/id/1012371
CVE Reference:   CVE-2004-1011, CVE-2004-1012, CVE-2004-1013   (Links to External Site)
Date:  Dec 2 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.2.8 and prior versions
Description:   Several vulnerabilities were reported in the Cyrus IMAP server. A remote user can execute arbitrary code on the target system.

Stefan Esser of e-matters GmbH reported a variety of bugs. A remote user can trigger a stack overflow in the PROXY and LOGIN commands when the imapmagicplus is enabled on the target server [CVE: CVE-2004-1011]. The username value is not properly validated. Versions 2.2.4 - 2.2.8 are affected.

It is also reported that a remote authenticated user can trigger a memory corruption error in the PARTIAL command [CVE: CVE-2004-1012], exploitable in versions 2.2.6 and prior versions. A remote authenticated user can execute arbitrary code.

It is also reported that a remtoe authenticated user can trigger a memory corruption error in the processing of the FETCH command [CVE: CVE-2004-1013] to execute arbitrary code.

In versions 2.2.7 and 2.2.8, it is also reported that a flaw in processing the MULTIAPPENDS command may cause uninitialized memory to be freed, which may lead to arbitrary code execution.

The vendor was notified on November 6, 2004.

The original advisory is available at:

http://security.e-matters.de/advisories/152004.html

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the imapd process.
Solution:   Conectiva has released a fix.

ftp://atualizacoes.conectiva.com.br/10/SRPMS/cyrus-imapd-2.2.10-62338U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-static-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-doc-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cyrus-imapd-2.1.17-28805U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-static-2.1.17-28805U90_5cl.i386.rpm

Vendor URL:  asg.web.cmu.edu/cyrus/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Conectiva)
Underlying OS Comments:  9, 10

Message History:   This archive entry is a follow-up to the message listed below.
Nov 23 2004 Cyrus IMAP Server Memory Errors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Conectiva-updates] [CLA-2004:904] Conectiva Security Announcement


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : cyrus-imapd
SUMMARY   : Multiple vulnerabilities in cyrus-imapd
DATE      : 2004-12-01 18:21:00
ID        : CLA-2004:904
RELEVANT
RELEASES  : 9, 10

- -------------------------------------------------------------------------

DESCRIPTION
 cyrus-imapd[1] is an IMAP and POP3 mail server with several advanced
 features such as SASL authentication, server-side mail filtering,
 mailbox ACLs and others.
 
 Stefan Esser from e-matters security recently published[2] several
 vulnerabilities in cyrus-imapd:
 
 (if not mentioned otherwise, all vulnerabilities affect both
 Conectiva Linux 9 and 10)
 
 1. "imapmagicplus" buffer overflow (CAN-2004-1011)[3]
 If the "imapmagicplus" option is enabled in the server's
 configuration file, then the LOGIN and PROXY commands can be abused
 to cause a buffer overflow, allowing remote unauthenticated attackers
 to execute arbitrary code as the "cyrus" user.
 
 Later on it has been found that the proxyd service also suffered[6]
 (CAN-2004-1015) from the same problem.
 
 Conectiva Linux 9 is not affected by these vulnerabilities.
 
 
 2. PARTIAL command vulnerability (CAN-2004-1012)[4]
 The PARTIAL command parser has a vulnerability which would allow
 authenticated users to cause a memory corruption and possibly execute
 arbitrary code as the "cyrus" user.
 
 
 3. FETCH command vulnerability (CAN-2004-1013)[5]
 The FETCH command parser has a vulnerability which would allow
 authenticated users to cause a memory corruption and possibly execute
 arbitrary code as the "cyrus" user.
 
 
 All these vulnerabilities have been fixed upstream with new versions
 of cyrus-imapd: 2.2.10 for the 2.2.x branch and 2.1.17 for the 2.1.x
 branch.
 
 Below are additional changes in our RPM packages:
 - for CL10: SNMP support has been removed. It needs a newer net-snmp
 library than the one that is currently being shipped;
 - for CL10: the script which attempts to convert the imapd.conf
 configuration file from 2.1.x to the 2.2.x format has been fixed.
 Previously it would mangle TLS directives;
 - for CL9: the init script has been fixed to allow GSSAPI
 authentication and also to restart the server if it was already
 running;
 - for CL9: the cyrus-imapd package now explicitly conflicts with
 uw-imap-server and uw-pop-server.


SOLUTION
 It is recommended that all cyrus-imapd users upgrade their packages.
 The service will be automatically restarted after the upgrade if
 needed.
 
 
 REFERENCES
 1. http://asg.web.cmu.edu/cyrus/imapd/
 2. http://security.e-matters.de/advisories/152004.html
 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1011
 4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1012
 5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1013
 6. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1015
 7. http://asg.web.cmu.edu/cyrus/download/imapd/changes.html


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS/cyrus-imapd-2.2.10-62338U10_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-devel-static-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/10/RPMS/cyrus-imapd-doc-2.2.10-62338U10_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/cyrus-imapd-2.1.17-28805U90_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-2.1.17-28805U90_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/cyrus-imapd-devel-static-2.1.17-28805U90_5cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBrifp42jd0JmAcZARAl8pAJ9XYSysXc85YP1SecR8c8iXT4W8aQCdFPS7
wuZJWDfIEUeGq3HGN8ExHFY=
=XDib
-----END PGP SIGNATURE-----

______________________________________________________________________
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC