Bug 145469 - CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication
CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: imap (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-01-18 14:43 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-23 12:17:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-01-18 14:43:55 EST
This issue was reported to us by CERT.  They've asked we keep quiet until they
release their advisory on 2005-01-27

We have received a report from the University of Washington of a
vulnerability in their UW-IMAP server software.  The vulnerability
affects sites using CRAM-MD5 authentication and can allow a remote
attacker to authenticate to the IMAP server as any valid user.  A copy
of the original vulnerability report is included at the bottom of this

Since this issue has already been addressed in a public release of the
software, we are proposing to publish a vulnerability note about this
issue on 2005-01-27.  We may publish sooner if additional public
discussion occurs before then.

The fix is as such

     u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user;
     u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL;

The effect of this change is to change the old behavior:
  if retries allowed AND password bad, then fail; else succeed 
to the correct:
  if retries allowed AND password good, then succeed; else fail

This problem is fixed in the January 4, 2005 release version of imap-2004b, on:
Comment 1 Josh Bressers 2005-01-18 14:45:30 EST
Please note that this issue only affects installations that are using the
CRAM-MD5 authentication.
Comment 2 Mark J. Cox (Product Security) 2005-02-01 04:49:08 EST
Comment 3 Josh Bressers 2005-02-03 14:49:04 EST
Ping on this issue
Comment 4 John Dennis 2005-02-03 17:36:10 EST
The RHEL-3 imap version was patched, errata RHSA-2005:128-01, was created,
however note the release date was set a year into the future because I didn't
know the embargo date, this will have to be fixed.
Comment 6 Josh Bressers 2005-02-23 12:17:34 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.