__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN University of Washington Imapd Buffer Overflow Vulnerability [Red Hat Advisory RHSA-2002:092-11] June 3, 2002 21:00 GMT Number M-085 ______________________________________________________________________________ PROBLEM: A buffer overflow exists in the University of Washington imap daemon version 2000c and previous releases. PLATFORM: UW wu-imapd 2000c and previous: HP Secure OS software for Linux 1.0 RedHat Linux 6.2 alpha, i386, sparc RedHat Linux 7.0 alpha, i386 RedHat Linux 7.1 alpha, i386, ia64 RedHat Linux 7.2 i386, ia64 DAMAGE: Successful exploit of this vulnerability can enable an authenticated user to execute arbitrary commands within their UID/GID privileges, ranging from unauthorized file access up to including root depending on user privileges. SOLUTION: Apply the patches described below. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Exploiting this vulnerability requires a ASSESSMENT: legitimate account on the system and results in potential unauthorized execution of commands, depending on the user's privileges. This is remotely exploitable, but requires a legitimate account. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-085.shtml ORIGINAL BULLETIN: http://rhn.redhat.com/errata/RHSA-2002-092.html OTHER LINKS: HP Advisory: http://online.securityfocus.com/advisories/4167 ______________________________________________________________________________ [***** Start Red Hat Advisory RHSA-2002:092-11 *****] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Buffer overflow in UW imap daemon Advisory ID: RHSA-2002:092-11 Issue date: 2002-05-16 Updated on: 2002-05-22 Product: Red Hat Linux Keywords: UW imap buffer overflow wu-imap uw-imap Cross references: Obsoletes: RHBA-2001:120 CVE Names: CAN-2002-0379 --------------------------------------------------------------------- 1. Topic: The UW imap daemon contains a buffer overflow which allows a logged in, remote user to execute commands on the server with the user's UID/GID. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 3. Problem description: UW imapd is an IMAP daemon from the University of Washington. Version 2000c and previous versions have a bug that allows a malicious user to construct a malformed request which overflows an internal buffer, enabling that user to execute commands on the server with the user's UID/GID. To exploit this problem the user has to have successfully authenticated to the imapd service. Therefore, this vulnerability mainly affects free email providers or mail servers where the user has no shell access to the system. On other systems, in which the user already has shell access, users can already run commands under their own UIDs/GIDs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0379 to this issue. Users of imapd are advised to upgrade to these errata packages containing version 2001a of imapd. They are not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- ec7794a80981a579ded00e27a416e9e2 6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm 98c89c190f6276474917b51112d43b60 6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm 62e846b2c6dbe71ecd64063a8ddef179 6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm 105073a5d5d9cca998c16c4784432612 6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm 18307141223c8214a996fc779fc4b30f 6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm c11e86178eac2def6c7f2680d72d4362 6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm 0e82318b401d12f641e74afaac29b26a 6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm c99646d934c056062269927d68c083cb 7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm c1a44a312e0ff6ddce84ab9fce8661ce 7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm 01240d7f239848f76671135932745480 7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm 6f775661a7cf3320fed6954bb6fc5319 7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm e3ee6086addf447fc7cdf257f0489d1a 7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm 924b63ae2c8029355a08b3001d59cbb5 7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm e3acdfb3224d30c75e9971655de7a4e1 7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm 9b2e89d31f7bcbb95c674972d64e8813 7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm dd5d21b6e461813bdeddc16a6b41b285 7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm 2d3140dfe10396bd20d04bd79b57f647 7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm 5649a1d3c1d8d950c5a0272ba65faec5 7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm 7232061442f47e063a193d8982d12f52 7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm ee249743bacd07adf36b355c78066f73 7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm d2d9a10cb6c8faed062da4f21d8fb7e5 7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm 21feec5a469ff71e706173199ffc3856 7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm 0247d2d090596fe2b892dd6768036d7c 7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm 456511a67ebda4e8a73af782388a97ab 7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: http://marc.theaimsgroup.com/?l=bugtraq&m=102107222100529 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0379 Copyright(c) 2000, 2001, 2002 Red Hat, Inc. [***** End Red Hat Advisory RHSA-2002:092-11 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-075: HP Security Vulnerability in MPE/iX FTPSRVR M-076: SGI IRIX nsd symlink Vulnerability M-077: SGI IRIX Xlib Vulnerability M-078: Sun Heap Overflow in Cachefs Daemon (cachefsd) M-079: Format String Vulnerability in ISC DHCPD M-080: SGI IRIX fsr_xfs Vulnerability M-081: SSHD "AllowedAuthentications" Vulnerability M-082: Microsoft Cumulative Patch for Internet Explorer M-083: Microsoft Authentication Flaw in Windows Debugger M-084: Red Hat "pam_ldap" Vulnerability