TUCoPS :: Unix :: General :: ciach046.txt

Vulnerability IMAP POP


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         Vulnerability in IMAP and POP

March 27, 1998 17:00 GMT                                        Number H-46a
______________________________________________________________________________
PROBLEM:       A vulnerability has been reported in some versions of the
               Internet Message Access Protocol (IMAP) and Post Office
               Protocol (POP) implementations (imapd, ipop2d, and ipop3d).
PLATFORM:      See "Appendix A - Vendor Information" below for platforms
               effected.
DAMAGE:        By exploiting this vulnerability, may allow remote users can
               obtain unauthorized root access.
SOLUTION:      Implement the following: 1) Obtain and install patch from your
               vendor, 2) Upgrade to the latest version of IMAP, or 3) Disable
               services.
______________________________________________________________________________
VULNERABILITY  Information about this vulnerability has been publicly
ASSESSMENT:    distributed.
______________________________________________________________________________

[ Appended on March 27, 1998 with additional vendor information from
  Silicon Graphics Inc. ]

[Start of CERT Advisory]

=============================================================================
CERT* Advisory CA-97.09
Original issue date: April 7, 1997
Last revised:  April 9, 1997
               Appendix A - added vendor information for Digital Equipment
                Corporation and QUALCOMM Incorporated.
               Updated vendor information for Sun Microsystems, Inc.
               Added another name to acknowledgment.

Topic: Vulnerability in IMAP and POP
------------------------------------------------------------------------------

The CERT Coordination Center has received reports of a vulnerability
in some versions of the Internet Message Access Protocol (IMAP) and
Post Office Protocol (POP) implementations (imapd, ipop2d, and
ipop3d). Information about this vulnerability has been publicly
distributed.

By exploiting this vulnerability, remote users can obtain unauthorized root
access.

The CERT/CC team recommends installing a patch if one is available or
upgrading to IMAP4rev1. Until you can do so, we recommend disabling the IMAP
and POP services at your site.

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to
your site.

------------------------------------------------------------------------------
I.   Description

     The current version of Internet Message Access Protocol (IMAP) supports
     both online and offline operation, permitting manipulation of remote
     message folders. It provides access to multiple mailboxes (possibly on
     multiple servers), and supports nested mailboxes as well as
     resynchronization with the server. The current version also provides a
     user with the ability to create, delete, and rename mailboxes. Additional
     details concerning the functionality of IMAP can be found in RFC 2060
     (the IMAP4rev1 specification) available from

                http://ds.internic.net/rfc/rfc2060.txt

     The Post Office Protocol (POP) was designed to support offline mail
     processing. That is, the client connects to the server to download mail
     that the server is holding for the client. The mail is deleted from the
     server and is handled offline (locally) on the client machine.

     In both protocols, the server must run with root privileges so it can
     access mail folders and undertake some file manipulation on behalf of the
     user logging in. After login, these privileges are discarded. However, a
     vulnerability exists in the way the login transaction is handled, and
     this can be exploited to gain privileged access on the server. By
     preparing carefully crafted text to a system running a vulnerable version
     of these servers, remote users may be able to cause a buffer overflow and
     execute arbitrary instructions with root privileges.

     Information about this vulnerability has been widely distributed.

II.  Impact

     Remote users can obtain root access on systems running a vulnerable IMAP
     or POP server. They do not need access to an account on the system to do
     this.

III. Solution

     Install a patch from your vendor (see Section A) or upgrade to the latest
     version of IMAP (Section B).  If your POP server is based on the
     University of Washington IMAP server code, you should also upgrade to
     the latest version of IMAP. Until you can take one of these actions, you
     should disable services (Section C). In all cases, we urge you to take
     the additional precaution described in Section D.

  A. Obtain and install a patch from your vendor

     Below is a list of vendors who have provided information about this
     vulnerability. Details are in Appendix A of this advisory; we will update
     the appendix as we receive more information. If your vendor's name is not
     on this list, please contact your vendor directly.

        Berkeley Software Design, Inc. (BSDI)
        Carnegie Mellon University
        Cray Research
        Digital Equipment Corporation
        Linux -  Red Hat
                 Caldera, Inc.
        Sun Microsystems, Inc.
        University of Washington

  B. Upgrade to the latest version of IMAP

     An alternative to installing vendor patches is upgrading to IMAP4rev1,
     which is available from

        ftp://ftp.cac.washington.edu/mail/imap.tar.Z

        MD5 (imap.tar.Z) = 87329f3f87909fe29d5d0b1b10f22ee9

  C.  Disable services

      Until you can take one of the above actions, temporarily disable the POP
      and IMAP services. On many systems, you will need to edit the
      /etc/inetd.conf file. However, you should check your vendor's
      documentation because systems vary in file location and the exact
      changes required (for example, sending the inetd process a HUP signal or
      killing and restarting the daemon).

      If you are not able to temporarily disable the POP and IMAP services,
      then you should at least limit access to the vulnerable services to
      machines in your local network. This can be done by installing the
      tcp_wrappers described in Section D, not only for logging but also for
      access control. Note that even with access control via tcp_wrappers, you
      are still vulnerable to attacks from hosts that are allowed to connect
      to the vulnerable POP or IMAP service.

 D.  Additional precaution

     Because IMAP or POP is launched out of inetd.conf, tcp_wrappers can be
     installed to log connections which can then be examined for suspicious
     activity. You may want to consider filtering connections at the firewall
     to discard unwanted/unauthorized connections.

     The tcp_wrappers tool is available in

        ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.5.tar.gz

        MD5 (tcp_wrappers_7.5.tar.gz) = 8c7a17a12d9be746e0488f7f6bfa4abb

     Note that this precaution does not address the vulnerability described
     in this advisory, but it is a good security practice in general.

-----------------------------------------------------------------------------

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Berkeley Software Design, Inc. (BSDI)
=====================================

  We're working on patches for both BSD/OS 2.1 and BSD/OS 3.0 for
  imap (which we include as part of pine).

Carnegie Mellon University
==========================

  Cyrus Server 1.5.2, with full IMAP4rev1 and pop3 capabilities, is NOT
  affected by this report and is NOT vulnerable.

Cray Research
=============

  Not vulnerable.

Digital Equipment Corporation
=============================

  This reported problem is not present for Digital's UNIX or
  Digital ULTRIX Operating Systems Software.


Linux Systems
=============

  Caldera, Inc.
  -------------
  On systems such as Caldera OpenLinux 1.0, an unprivileged user can
  obtain root access.

  As a temporary workaround, you can disable the POP and IMAP services
  in /etc/inetd.conf, and then kill and restart inetd.

  A better solution is to install the new RPM package that contains
  the fixed versions of the IMAP and POP daemons.  They are located
  on Caldera's FTP server (ftp.caldera.com):

        /pub/openlinux/updates/1.0/006/RPMS/imap-4.1.BETA-1.i386.rpm

        The MD5 checksum (from the "md5sum" command) for this package is:

        45a758dfd30f6d0291325894f9ec4c18

  This and other Caldera security resources are located at:

                http://www.caldera.com/tech-ref/security/


  Red Hat
  -------
  The IMAP servers included with all versions of Red Hat Linux have
  a buffer overrun which allow *remote* users to gain root access on
  systems which run them. A fix for Red Hat 4.1 is now available
  (details on it at the end of this note).

  Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of previous
  releases of Red Hat Linux are strongly encouraged to upgrade or simply
  not run imap. You can remove imap from any machine running with Red
  Hat Linux 2.0 or later by running the command "rpm -e imap", rendering
  them immune to this problem.

  All of the new packages are PGP signed with Red Hat's PGP key,
  and may be obtained from ftp.redhat.com:/updates/4.1. If
  you have direct Internet access, you may upgrade these packages on your
  system with the following commands:

  Intel:
  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/imap-4.1.BETA-3.i386.rpm

        MD5 (imap-4.1.BETA-3.i386.rpm) = 8ac64fff475ee43d409fc9776a6637a6

  Alpha:
  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/imap-4.1.BETA-3.alpha.rpm

        MD5 (imap-4.1.BETA-3.alpha.rpm) = fd42ac24d7c4367ee51fd00e631cae5b

  SPARC:
  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/imap-4.1.BETA-3.sparc.rpm

        MD5 (imap-4.1.BETA-3.sparc.rpm) = 751598aae3d179284b8ea4d7a9b78868

QUALCOMM Incorporated
======================

  Our engineers have examined the QPopper source code, which is based
  on source from UC Berkeley. They determined that QPopper is *NOT*
  vulnerable to a buffer overflow attack as described in CA-97.09.
  It strictly checks the size of messages before copying them into its
  buffer.

Sun Microsystems, Inc.
======================

  Not vulnerable.

University of Washington
========================

  This vulnerability has been detected in the University of Washington c-client
  library used in the UW IMAP and POP servers.  This vulnerability affects all
  versions of imapd prior to v10.165, all versions of ipop2d prior to 2.3(32),
  and all versions of ipop3d prior to 3.3(27).

  It is recommended that all sites using these servers upgrade to the
  latest versions, available in the UW IMAP toolkit:

        ftp://ftp.cac.washington.edu/mail/imap.tar.Z

        MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6


  This is a source distribution which includes imapd, ipop2d, ipop3d. and
  the c-client library.  The IMAP server in this distribution conforms with
  RFC2060 (the IMAP4rev1 specification).

  Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4
  service may obtain a corrected IMAP2bis server as part of the latest
  (3.96) UW Pine distribution, available at:

        ftp://ftp.cac.washington.edu/pine/pine.tar.Z

        MD5 (pine.tar.Z) = 37138f0d1ec3175cf1ffe6c062c9abbf

------------------------------------------------------------------------------
The CERT Coordination Center thanks the University of Washington's
Computing and Communications staff for information relating to this
advisory. We also thank Wolfgang Ley of DFN-CERT for his input. We
thank Matthew Wall of Carnegie Mellon University for additional
insightful feedback.

------------------------------------------------------------------------------

[End of CERT Advisory]

[ Appended by Silicon Graphic Inc. ]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   IMAP/POP Vulnerability
        Title:   CERT CA-97.09
        Number:  19980302-01-I
        Date:    March 25, 1998
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose.  In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________


As a followup to the CERT(sm) Advisory CA-97.09 "Vulnerability in IMAP and
POP", SGI has investigated this information and provides the following
information.


- -----------------------
- --- Issue Specifics ---
- -----------------------

The Internet Mail Access Protocol (IMAP) & Post Office Protocol (POP)
provide users with an alternative means to process and retrieve their email.

A vulnerability has been discovered in IMAP4 & POP3 that allows remote
users to obtain root access.

Silicon Graphics sells and supports the Netscape Mail/Messaging Servers
for IRIX which use IMAP4 & POP3 however, their implementations are not
vulnerable to this issue and no further action is required.

More information about Netscape product security can be found at the
following URL:

http://home.netscape.com/assist/security/


- ------------------------
- --- Acknowledgments ---
- ------------------------

Silicon Graphics wishes to thank the CERT Coordination Center and
Netscape for their assistance in this matter.


- -----------------------------------------------------------
- --- Silicon Graphics Inc. Security Information/Contacts ---
- -----------------------------------------------------------

If there are questions about this document, email can be sent to
cse-security-alert@sgi.com.

                      ------oOo------

Silicon Graphics provides security information and patches for
use by the entire SGI community.  This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1).  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/security/security.html.

For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/security/wiretap.html) or by sending email
to SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


                      ------oOo------

Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/security/security.html.

                      ------oOo------

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A
support contract is not required for submitting a security report.

______________________________________________________________________________
  This information is provided freely to all interested parties and may
  be redistributed provided that it is not altered in any way, Silicon
  Graphics is appropriately credited and the document retains and
  includes its valid PGP signature.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNRmLYrQ4cFApAP75AQHjvgP8C7FcHzR89PbzKBCghwDmKqhW76yTZ2U8
EyJZjYLeiTaMYsUFrmyiUKrUJvIwKlUbFx3Gm+gtkOYIcweON4EwKdg3HQIm2tD4
ie0Da7/DoQBnZ0p80jdy0PTwwL24V1DQniHz5jKpILlGHjI8aPBWpEkLntgXhuh/
BGGujuTXphM=
=dGjz
-----END PGP SIGNATURE-----


[ End Silicon Graphic Inc. Update ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-35: HP-UX vgdisplay command Vulnerability
H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
H-37: Solaris 2.x passwd buffer Overrun Vulnerability
H-38A: Internet Explorer 3.x Vulnerabilities
H-39: SGI IRIX fsdump Vulnerability
H-40: DIGITAL Security Vulnerabilities (DoP, delta-time)
H-41: Solaris 2.x eject Buffer Overrun Vulnerability
H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
H-45: Windows NT SAM  permission Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH