This issue was reported to us by CERT. They've asked we keep quiet until they release their advisory on 2005-01-27 We have received a report from the University of Washington of a vulnerability in their UW-IMAP server software. The vulnerability affects sites using CRAM-MD5 authentication and can allow a remote attacker to authenticate to the IMAP server as any valid user. A copy of the original vulnerability report is included at the bottom of this message. Since this issue has already been addressed in a public release of the software, we are proposing to publish a vulnerability note about this issue on 2005-01-27. We may publish sooner if additional public discussion occurs before then. The fix is as such Change: u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user; To: u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL; The effect of this change is to change the old behavior: if retries allowed AND password bad, then fail; else succeed to the correct: if retries allowed AND password good, then succeed; else fail This problem is fixed in the January 4, 2005 release version of imap-2004b, on: ftp://ftp.cac.washington.edu/mail/imap-2004b.tar.Z
Please note that this issue only affects installations that are using the CRAM-MD5 authentication.
Public
Ping on this issue
The RHEL-3 imap version was patched, errata RHSA-2005:128-01, was created, however note the release date was set a year into the future because I didn't know the embargo date, this will have to be fixed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-128.html