	
	             __________________________________________________________
	
	                       The U.S. Department of Energy
	                   Computer Incident Advisory Capability
	                           ___  __ __    _     ___
	                          /       |     /_\   /
	                          \___  __|__  /   \  \___
	             __________________________________________________________
	
	                             INFORMATION BULLETIN
	
	       UW-imapd Fails to Properly Authenticate Users When Using CRAM-MD5
	                     [US-CERT Vulnerability Note VU#702777]
	
	January 28, 2005 18:00 GMT                                        Number P-117
    [REVISED 28 Feb 2005]
	[REVISED 10 Mar 2005]
	______________________________________________________________________________
	PROBLEM:       The Internet Message Access Protocol (IMAP) is a method of 
	               accessing electronic messages kept on a remote mail server 
	               which features multiple user authentication methods, including 
	               the Challenge-Response Authentication Mechanism with MD5 
	               (CRAM-MD5). There is a logic error in the UW-imapd code that 
                   handles CRAM-MD5 incorrectly specifies the conditions of 
                   successful authentication. 
	PLATFORM:      UW-imapd 
                   Red Hat Desktop (v. 3)
                   Red Hat Enterprise Linux AS, ES, WS (v. 3)
	               SGI ProPack 3 Service Pack 4 for SGI Altix family of systems
	DAMAGE:        A remote attacker could authenticate as any user on the target 
	               system and thereby read and delete email in the authorized 
	               user's account. 
	SOLUTION:      Upgrade or apply a patch. 
	______________________________________________________________________________
	VULNERABILITY  The risk is LOW. A remote attacker could authenticate as any 
	ASSESSMENT:    user on the target system and thereby read and delete email in 
	               the authorized user's account. 
	______________________________________________________________________________
	LINKS: 
	 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-117.shtml 
	 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/702777 
	 ADDITIONAL LINK:    Red Hat RHSA-2005:128-06
	                     https://rhn.redhat.com/errata/RHSA-2005-128.html
	                     SGI Advanced Linux Environment 3, Update #29, 20050301-01-U
	                     ftp://patches.sgi.com/support/free/security/advisories/
 	                       20050301-01-U.asc
	______________________________________________________________________________
	REVISION HISTORY:
    02/28/2005 - added a link to Red Hat RHSA-2005:128-06 for Red Hat Desktop (v. 3) 
                 and Red Hat Enterprise Linux AS, ES, WS (v. 3).
	03/10/2005 - added a link to SGI Update #29, 20050301-01-U for SGI ProPack 3
	             Service Pack 4 RPMs for the SGI Altix family of systems in response 
	             to this security issue.
				 
				 
	[***** Start US-CERT Vulnerability Note VU#702777 *****]
	
	Vulnerability Note VU#702777
	UW-imapd fails to properly authenticate users when using CRAM-MD5
	
	Overview
	
	A vulnerablility in an authentication method for the University of Washington 
	IMAP server could allow a remote attacker to access any user's mailbox. 
	
	I. Description
	
	The Internet Message Access Protocol (IMAP) is a method of accessing electronic 
	messages kept on a remote mail server and is specified in RFC3501. The University 
	of Washington IMAP server features multiple user authentication methods, including 
	the Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) as defined by 
	RFC2195. A logic error in the code that handles CRAM-MD5 incorrectly specifies the 
	conditions of successful authentication. This error results in a vulnerability 
	that could allow a remote attacker to successfully authenticate as any user on the 
	target system. This vulnerability only affects sites that have explicitly enabled 
	CRAM-MD5 style authentication; it is not enabled in the default configuration of 
	the UW-IMAP server.
	
	II. Impact
	
	A remote attacker could authenticate as any user on the target system and thereby 
	read and delete email in the authorized user's account.
	
	III. Solution
	
	Upgrade or apply a patch 
	
	Fixed versions of the software have been released to address this issue. Please 
	see the Systems Affected section of this document for more details.
	
	
	
	Systems Affected
	
	Vendor Status Date Updated 
	Apple Computer Inc. Not Vulnerable 18-Jan-2005 
	Conectiva Unknown 18-Jan-2005 
	Cray Inc. Unknown 18-Jan-2005 
	Debian Unknown 18-Jan-2005 
	EMC Corporation Unknown 18-Jan-2005 
	Engarde Unknown 18-Jan-2005 
	F5 Networks Unknown 18-Jan-2005 
	FreeBSD Unknown 18-Jan-2005 
	Fujitsu Unknown 18-Jan-2005 
	Hewlett-Packard Company Unknown 18-Jan-2005 
	Hitachi Not Vulnerable 18-Jan-2005 
	IBM Unknown 18-Jan-2005 
	IBM-zSeries Unknown 18-Jan-2005 
	IBM eServer Unknown 18-Jan-2005 
	Immunix Unknown 18-Jan-2005 
	Ingrian Networks Unknown 18-Jan-2005 
	Juniper Networks Unknown 18-Jan-2005 
	MandrakeSoft Unknown 18-Jan-2005 
	Microsoft Corporation Not Vulnerable 20-Jan-2005 
	MontaVista Software Unknown 18-Jan-2005 
	NEC Corporation Unknown 18-Jan-2005 
	NetBSD Unknown 18-Jan-2005 
	Nokia Unknown 18-Jan-2005 
	Novell Unknown 18-Jan-2005 
	OpenBSD Unknown 18-Jan-2005 
	Openwall GNU/*/Linux Unknown 18-Jan-2005 
	Red Hat Inc. Unknown 18-Jan-2005 
	SCO-LINUX Unknown 18-Jan-2005 
	SCO-UNIX Unknown 18-Jan-2005 
	Sequent Unknown 18-Jan-2005 
	SGI Unknown 18-Jan-2005 
	Sony Corporation Unknown 18-Jan-2005 
	Sun Microsystems Inc. Not Vulnerable 24-Jan-2005 
	SuSE Inc. Unknown 18-Jan-2005 
	TurboLinux Unknown 18-Jan-2005 
	Unisys Unknown 18-Jan-2005 
	University of Washington Vulnerable 24-Jan-2005 
	Wind River Systems Inc. Unknown 18-Jan-2005 
	
	References
	
	
	
	Credit
	Thanks to Mark Crispin and Hugh Sheets of the University of Washington for 
	reporting this vulnerability. 
	
	This document was written by Chad R Dougherty. 
	
	Other Information
	Date Public 01/04/2005 
	Date First Published 01/27/2005 04:07:12 PM 
	Date Last Updated 01/27/2005 
	CERT Advisory   
	CVE Name   
	Metric 6.08 
	Document Revision 12 
	
	
	[***** End US-CERT Vulnerability Note VU#702777 *****]
	_______________________________________________________________________________
	
	CIAC wishes to acknowledge the contributions of US-CERT for the 
	information contained in this bulletin.
	_______________________________________________________________________________
	
	
	CIAC, the Computer Incident Advisory Capability, is the computer
	security incident response team for the U.S. Department of Energy
	(DOE) and the emergency backup response team for the National
	Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
	National Laboratory in Livermore, California. CIAC is also a founding
	member of FIRST, the Forum of Incident Response and Security Teams, a
	global organization established to foster cooperation and coordination
	among computer security teams worldwide.
	
	CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
	can be contacted at:
	    Voice:    +1 925-422-8193 (7x24)
	    FAX:      +1 925-423-8002
	    STU-III:  +1 925-423-2604
	    E-mail:   ciac@ciac.org
	
	Previous CIAC notices, anti-virus software, and other information are
	available from the CIAC Computer Security Archive.
	
	   World Wide Web:      http://www.ciac.org/
	   Anonymous FTP:       ftp.ciac.org
	
	PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
	communities receive CIAC bulletins.  If you are not part of these
	communities, please contact your agency's response team to report
	incidents. Your agency's team will coordinate with CIAC. The Forum of
	Incident Response and Security Teams (FIRST) is a world-wide
	organization. A list of FIRST member organizations and their
	constituencies can be obtained via WWW at http://www.first.org/.
	
	This document was prepared as an account of work sponsored by an
	agency of the United States Government. Neither the United States
	Government nor the University of California nor any of their
	employees, makes any warranty, express or implied, or assumes any
	legal liability or responsibility for the accuracy, completeness, or
	usefulness of any information, apparatus, product, or process
	disclosed, or represents that its use would not infringe privately
	owned rights. Reference herein to any specific commercial products,
	process, or service by trade name, trademark, manufacturer, or
	otherwise, does not necessarily constitute or imply its endorsement,
	recommendation or favoring by the United States Government or the
	University of California. The views and opinions of authors expressed
	herein do not necessarily state or reflect those of the United States
	Government or the University of California, and shall not be used for
	advertising or product endorsement purposes.
	
	LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
	
	P-107: Security Vulnerability in Solaris 8 DHCP Administration Utilities
	P-108: libdbi-perl
	P-109: Cisco IOS Misformed BGP Packet Causes Reload
	P-110: Crafted Packet Causes Reload on Cisco Routers
	P-111: Cisco Multiple Crafted IPv6 Packets Cause Reload
	P-112: Updated less Package Fixes Security Issue
	P-113: BIND Vulnerabilities
	P-114: BIND: Self Check Failing
	P-115: libpam-radius-auth
	P-116: Apple Security Update for Mac OS X