>Date sent: Mon, 7 Apr 1997 22:22:44 -0500
>To: [log in to unmask]
>From: Paul Hoffman <[log in to unmask]>
>Subject: IMC FLASH UPDATE -- CERT IMAP/POP Notice
>
>IMC FLASH UPDATE -- CERT IMAP/POP Notice
>
>This is the first IMC Flash Update:
>
>April 7, 1997: The Computer Emergency Response Team (CERT) has just issued
>a notice that can be interpreted as a problem in the IMAP and POP email
>standards, when in fact the notice is about specific implementations. The
>notice, CERT Advisory CA-97.09, is attached below.
>
>CERT Advisories typically pertain to software rather than specifications,
>but a casual reading of the beginning of this advisory could be
>misinterpreted. The particular software problem involves buffer overrun and
>allowing inappropriate root access. This is a type of software error which
>has been seen in many implementations of other protocols and is easily
>fixed, as described in the CERT notice.
>
>IMC is sending this notice to aid the press and those talking to the press
>in clearing up this potential misunderstanding.
>
>--Paul Hoffman, Director
>--Internet Mail Consortium
>
Note: the following does NOT affect HP3000s (specifically the NetMail/3000
POP Server :) ).
>Date: Mon, 7 Apr 1997 14:43:14 -0400
>From: CERT Advisory <[log in to unmask]>
>To: [log in to unmask]
>Subject: CERT Advisory CA-97.09 - Vulnerability in IMAP and POP
>Reply-To: [log in to unmask]
>Organization: CERT(sm) Coordination Center - +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-97.09
>Original issue date: April 7, 1997
>Last revised: --
>Topic: Vulnerability in IMAP and POP
>- ----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of a vulnerability
>in some versions of the Internet Message Access Protocol (IMAP) and
>Post Office Protocol (POP) implementations (imapd, ipop2d, and
>ipop3d). Information about this vulnerability has been publicly
>distributed.
>
>By exploiting this vulnerability, remote users can obtain unauthorized root
>access.
>
>The CERT/CC team recommends installing a patch if one is available or
>upgrading to IMAP4rev1. Until you can do so, we recommend disabling the IMAP
>and POP services at your site.
>
>We will update this advisory as we receive additional information.
>Please check our advisory files regularly for updates that relate to
>your site.
>
>- -----------------------------------------------------------------------------
>I. Description
>
> The current version of Internet Message Access Protocol (IMAP) supports
> both online and offline operation, permitting manipulation of remote
> message folders. It provides access to multiple mailboxes (possibly on
> multiple servers), and supports nested mailboxes as well as
> resynchronization with the server. The current version also provides a
> user with the ability to create, delete, and rename mailboxes. Additional
> details concerning the functionality of IMAP can be found in RFC 2060
> (the IMAP4rev1 specification) available from
>
> http://ds.internic.net/rfc/rfc2060.txt
>
> The Post Office Protocol (POP) was designed to support offline mail
> processing. That is, the client connects to the server to download mail
> that the server is holding for the client. The mail is deleted from the
> server and is handled offline (locally) on the client machine.
>
> In both protocols, the server must run with root privileges so it can
> access mail folders and undertake some file manipulation on behalf of the
> user logging in. After login, these privileges are discarded. However, a
> vulnerability exists in the way the login transaction is handled, and
> this can be exploited to gain privileged access on the server. By
> preparing carefully crafted text to a system running a vulnerable version
> of these servers, remote users may be able to cause a buffer overflow and
> execute arbitrary instructions with root privileges.
>
> Information about this vulnerability has been widely distributed.
>
>II. Impact
>
> Remote users can obtain root access on systems running a vulnerable IMAP
> or POP server. They do not need access to an account on the system to do
> this.
>
>III. Solution
>
> Install a patch from your vendor (see Section A) or upgrade to the latest
> version of IMAP (Section B). If your POP server is based on the
> University of Washington IMAP server code, you should also upgrade to
> the latest version of IMAP. Until you can take one of these actions, you
> should disable services (Section C). In all cases, we urge you to take
> the additional precaution described in Section D.
>
> A. Obtain and install a patch from your vendor
>
> Below is a list of vendors who have provided information about this
> vulnerability. Details are in Appendix A of this advisory; we will update
> the appendix as we receive more information. If your vendor's name is not
> on this list, please contact your vendor directly.
>
> Berkeley Software Design, Inc. (BSDI)
> Cray Research
> Linux - Red Hat
> Sun Microsystems, Inc.
> University of Washington
>
> B. Upgrade to the latest version of IMAP
>
> An alternative to installing vendor patches is upgrading to IMAP4rev1,
> which is available from
>
> ftp://ftp.cac.washington.edu/mail/imap.tar.Z
>
> MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6
>
> C. Disable services
>
> Until you can take one of the above actions, temporarily disable the POP
> and IMAP services. On many systems, you will need to edit the
> /etc/inetd.conf file. However, you should check your vendor's
> documentation because systems vary in file location and the exact
> changes required (for example, sending the inetd process a HUP signal or
> killing and restarting the daemon).
>
> If you are not able to temporarily disable the POP and IMAP services,
> then you should at least limit access to the vulnerable services to
> machines in your local network. This can be done by installing the
> tcp_wrappers described in Section D, not only for logging but also for
> access control. Note that even with access control via tcp_wrappers, you
> are still vulnerable to attacks from hosts that are allowed to connect
> to the vulnerable POP or IMAP service.
>
> D. Additional precaution
>
> Because IMAP or POP is launched out of inetd.conf, tcp_wrappers can be
> installed to log connections which can then be examined for suspicious
> activity. You may want to consider filtering connections at the firewall
> to discard unwanted/unauthorized connections.
>
> The tcp_wrappers tool is available in
>
> ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.5.tar.gz
>
> MD5 (tcp_wrappers_7.5.tar.gz) = 8c7a17a12d9be746e0488f7f6bfa4abb
>
> Note that this precaution does not address the vulnerability described
> in this advisory, but it is a good security practice in general.
>
>............................................................................
>
>Appendix A - Vendor Information
>
>Below is a list of the vendors who have provided information for this
>advisory. We will update this appendix as we receive additional information.
>If you do not see your vendor's name, the CERT/CC did not hear from that
>vendor. Please contact the vendor directly.
>
>
>Berkeley Software Design, Inc. (BSDI)
>=====================================
>
> We're working on patches for both BSD/OS 2.1 and BSD/OS 3.0 for
> imap (which we include as part of pine).
>
>Cray Research
>=============
>
> Not vulnerable.
>
>Linux Systems
>=============
>
> Red Hat
> -------
> The IMAP servers included with all versions of Red Hat Linux have
> a buffer overrun which allow *remote* users to gain root access on
> systems which run them. A fix for Red Hat 4.1 is now available
> (details on it at the end of this note).
>
> Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of previous
> releases of Red Hat Linux are strongly encouraged to upgrade or simply
> not run imap. You can remove imap from any machine running with Red
> Hat Linux 2.0 or later by running the command "rpm -e imap", rendering
> them immune to this problem.
>
> All of the new packages are PGP signed with Red Hat's PGP key,
> and may be obtained from ftp.redhat.com:/updates/4.1. If
> you have direct Internet access, you may upgrade these packages on your
> system with the following commands:
>
> Intel:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/imap-4.1.BETA-3.i386.rpm
>
> MD5 (imap-4.1.BETA-3.i386.rpm) = 8ac64fff475ee43d409fc9776a6637a6
>
> Alpha:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/imap-4.1.BETA-3.alpha.rpm
>
> MD5 (imap-4.1.BETA-3.alpha.rpm) = fd42ac24d7c4367ee51fd00e631cae5b
>
> SPARC:
> rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/imap-4.1.BETA-3.sparc.rpm
>
> MD5 (imap-4.1.BETA-3.sparc.rpm) = 751598aae3d179284b8ea4d7a9b78868
>
>
>Sun Microsystems, Inc.
>======================
>
> We are investigating the problem.
>
>University of Washington
>========================
>
> This vulnerability has been detected in the University of Washington c-client
> library used in the UW IMAP and POP servers. This vulnerability affects all
> versions of imapd prior to v10.165, all versions of ipop2d prior to 2.3(32),
> and all versions of ipop3d prior to 3.3(27).
>
> It is recommended that all sites using these servers upgrade to the
> latest versions, available in the UW IMAP toolkit:
>
> ftp://ftp.cac.washington.edu/mail/imap.tar.Z
>
> MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6
>
>
> This is a source distribution which includes imapd, ipop2d, ipop3d. and
> the c-client library. The IMAP server in this distribution conforms with
> RFC2060 (the IMAP4rev1 specification).
>
> Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4
> service may obtain a corrected IMAP2bis server as part of the latest
> (3.96) UW Pine distribution, available at:
>
> ftp://ftp.cac.washington.edu/pine/pine.tar.Z
>
> MD5 (pine.tar.Z) = 37138f0d1ec3175cf1ffe6c062c9abbf
>
>- -----------------------------------------------------------------------------
>The CERT Coordination Center thanks the University of Washington's
>Computing and Communications staff for information relating to this
>advisory.
>- -----------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see http://www.first.org/team-info)
>
>
>CERT/CC Contact Information
>- ---------------------------
>Email [log in to unmask]
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
> and are on call for emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>Using encryption
> We strongly urge you to encrypt sensitive information sent by email. We can
> support a shared DES key or PGP. Contact the CERT/CC for more information.
> Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>Getting security information
> CERT publications and other security information are available from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for advisories and bulletins, send
> email to
> [log in to unmask]
> In the subject line, type
> SUBSCRIBE your-email-address
>
>- ---------------------------------------------------------------------------
>Copyright 1997 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided
>it is used for noncommercial purposes and the copyright statement is
>included.
>
>* Registered in the U.S. Patent and Trademark Office.
>
>- ---------------------------------------------------------------------------
>
>This file: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
> http://www.cert.org
> click on "CERT Advisories"
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBM0kvp3VP+x0t4w7BAQHiDwQAzvj0AH/xujQrqu43J18BSbkuccdHg5gn
>iNqAGoWG0rg6nUAutwJJenpvcf3ErzzIfHpvv+gwX7N6dyHma0KZlmDq1LxUlNp5
>b+rfOklPR7dT8/aIYeBwz8IuwF9kQMBYmK9KQk1w5iJTHFzfHdJGdRIj0XAyCjUU
>kooGrZuPKQg=
>=kxPN
>-----END PGP SIGNATURE-----
>
______________________/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Geoff Harper Sales (US): 800 Net-Mail Fax:+1 703 451-3720
______ +1 703 569-9189 mailto:[log in to unmask]
/__ | \__________ Sales (Europe):+44(1480)414131 Fax:+44(1480)414134
/ / | / ________ Sales (Pacific Rim):+61 3 9489 8216 (same for fax)
| /_ |< ______ Tech Support:+1 703 569-9189 Fax:+1 703 451-3720
\ __)| \ ___ mailto:[log in to unmask] Me: mailto:[log in to unmask]
\______/Associates, 6901 Old Keene Mill Rd Suite 500 Springfield VA 22150
_________________Inc._/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Gopher: gopher.3k.com Anon-FTP: ftp.3k.com WWW: http://www.3k.com/
|