SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMAP Toolkit (uw-imap) Vendors:   University of Washington
UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
SecurityTracker Alert ID:  1013037
SecurityTracker URL:  http://securitytracker.com/id/1013037
CVE Reference:   CVE-2005-0198   (Links to External Site)
Updated:  Feb 24 2005
Original Entry Date:  Jan 28 2005
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2004b
Description:   A vulnerability was reported in the University of Washington IMAP server. A remote user can access e-mail accounts when the system uses a certain authentication mechanism.

US-CERT reported that Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) code contains a logic error that may allow a remote user to authenticate as any target user and access the target user's IMAP account.

CRAM-MD5 authentication is not a default configuration.

Impact:   A remote user can gain access to a target user's IMAP account.
Solution:   The vendor has issued the following fix:

ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z

Vendor URL:  www.washington.edu/imap/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 2 2005 (Mandrake Issues Fix) UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
Mandrake has released a fix.
Feb 3 2005 (Gentoo Issues Fix) UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
Gentoo has released a fix.
Feb 24 2005 (Red Hat Issues Fix) UW IMAP CRAM-MD5 Authentication Flaw Lets Remote Users Access Arbitrary IMAP Accounts
Red Hat has released a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC