Bug 145469 - CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication
CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: imap (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-18 14:43 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-23 12:17:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-01-18 14:43:55 EST
This issue was reported to us by CERT.  They've asked we keep quiet until they
release their advisory on 2005-01-27

We have received a report from the University of Washington of a
vulnerability in their UW-IMAP server software.  The vulnerability
affects sites using CRAM-MD5 authentication and can allow a remote
attacker to authenticate to the IMAP server as any valid user.  A copy
of the original vulnerability report is included at the bottom of this
message.

Since this issue has already been addressed in a public release of the
software, we are proposing to publish a vulnerability note about this
issue on 2005-01-27.  We may publish sooner if additional public
discussion occurs before then.


The fix is as such


Change:
     u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user;
To:
     u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL;

The effect of this change is to change the old behavior:
  if retries allowed AND password bad, then fail; else succeed 
to the correct:
  if retries allowed AND password good, then succeed; else fail

This problem is fixed in the January 4, 2005 release version of imap-2004b, on:
       ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
Comment 1 Josh Bressers 2005-01-18 14:45:30 EST
Please note that this issue only affects installations that are using the
CRAM-MD5 authentication.
Comment 2 Mark J. Cox (Product Security) 2005-02-01 04:49:08 EST
Public
Comment 3 Josh Bressers 2005-02-03 14:49:04 EST
Ping on this issue
Comment 4 John Dennis 2005-02-03 17:36:10 EST
The RHEL-3 imap version was patched, errata RHSA-2005:128-01, was created,
however note the release date was set a year into the future because I didn't
know the embargo date, this will have to be fixed.
Comment 6 Josh Bressers 2005-02-23 12:17:34 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-128.html

Note You need to log in before you can comment on or make changes to this bug.