>Date sent:        Mon, 7 Apr 1997 22:22:44 -0500
>To:               [log in to unmask]
>From:             Paul Hoffman <[log in to unmask]>
>Subject:          IMC FLASH UPDATE -- CERT IMAP/POP Notice
>
>IMC FLASH UPDATE -- CERT IMAP/POP Notice
>
>This is the first IMC Flash Update:
>
>April 7, 1997: The Computer Emergency Response Team (CERT) has just issued
>a notice that can be interpreted as a problem in the IMAP and POP email
>standards, when in fact the notice is about specific implementations. The
>notice, CERT Advisory CA-97.09, is attached below.
>
>CERT Advisories typically pertain to software rather than specifications,
>but a casual reading of the beginning of this advisory could be
>misinterpreted. The particular software problem involves buffer overrun and
>allowing inappropriate root access. This is a type of software error which
>has been seen in many implementations of other protocols and is easily
>fixed, as described in the CERT notice.
>
>IMC is sending this notice to aid the press and those talking to the press
>in clearing up this potential misunderstanding.
>
>--Paul Hoffman, Director
>--Internet Mail Consortium
>

Note: the following does NOT affect HP3000s (specifically the NetMail/3000
      POP Server :) ).

>Date: Mon, 7 Apr 1997 14:43:14 -0400
>From: CERT Advisory <[log in to unmask]>
>To: [log in to unmask]
>Subject: CERT Advisory CA-97.09 - Vulnerability in IMAP and POP
>Reply-To: [log in to unmask]
>Organization: CERT(sm) Coordination Center -  +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-97.09
>Original issue date: April 7, 1997
>Last revised: --
>Topic: Vulnerability in IMAP and POP
>- ----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of a vulnerability
>in some versions of the Internet Message Access Protocol (IMAP) and
>Post Office Protocol (POP) implementations (imapd, ipop2d, and
>ipop3d). Information about this vulnerability has been publicly
>distributed.
>
>By exploiting this vulnerability, remote users can obtain unauthorized root
>access.
>
>The CERT/CC team recommends installing a patch if one is available or
>upgrading to IMAP4rev1. Until you can do so, we recommend disabling the IMAP
>and POP services at your site.
>
>We will update this advisory as we receive additional information.
>Please check our advisory files regularly for updates that relate to
>your site.
>
>- -----------------------------------------------------------------------------
>I.   Description
>
>     The current version of Internet Message Access Protocol (IMAP) supports
>     both online and offline operation, permitting manipulation of remote
>     message folders. It provides access to multiple mailboxes (possibly on
>     multiple servers), and supports nested mailboxes as well as
>     resynchronization with the server. The current version also provides a
>     user with the ability to create, delete, and rename mailboxes. Additional
>     details concerning the functionality of IMAP can be found in RFC 2060
>     (the IMAP4rev1 specification) available from
>
>                http://ds.internic.net/rfc/rfc2060.txt
>
>     The Post Office Protocol (POP) was designed to support offline mail
>     processing. That is, the client connects to the server to download mail
>     that the server is holding for the client. The mail is deleted from the
>     server and is handled offline (locally) on the client machine.
>
>     In both protocols, the server must run with root privileges so it can
>     access mail folders and undertake some file manipulation on behalf of the
>     user logging in. After login, these privileges are discarded. However, a
>     vulnerability exists in the way the login transaction is handled, and
>     this can be exploited to gain privileged access on the server. By
>     preparing carefully crafted text to a system running a vulnerable version
>     of these servers, remote users may be able to cause a buffer overflow and
>     execute arbitrary instructions with root privileges.
>
>     Information about this vulnerability has been widely distributed.
>
>II.  Impact
>
>     Remote users can obtain root access on systems running a vulnerable IMAP
>     or POP server. They do not need access to an account on the system to do
>     this.
>
>III. Solution
>
>     Install a patch from your vendor (see Section A) or upgrade to the latest
>     version of IMAP (Section B).  If your POP server is based on the
>     University of Washington IMAP server code, you should also upgrade to
>     the latest version of IMAP. Until you can take one of these actions, you
>     should disable services (Section C). In all cases, we urge you to take
>     the additional precaution described in Section D.
>
>  A. Obtain and install a patch from your vendor
>
>     Below is a list of vendors who have provided information about this
>     vulnerability. Details are in Appendix A of this advisory; we will update
>     the appendix as we receive more information. If your vendor's name is not
>     on this list, please contact your vendor directly.
>
>        Berkeley Software Design, Inc. (BSDI)
>        Cray Research
>        Linux -  Red Hat
>        Sun Microsystems, Inc.
>        University of Washington
>
>  B. Upgrade to the latest version of IMAP
>
>     An alternative to installing vendor patches is upgrading to IMAP4rev1,
>     which is available from
>
>        ftp://ftp.cac.washington.edu/mail/imap.tar.Z
>
>        MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6
>
>  C.  Disable services
>
>      Until you can take one of the above actions, temporarily disable the POP
>      and IMAP services. On many systems, you will need to edit the
>      /etc/inetd.conf file. However, you should check your vendor's
>      documentation because systems vary in file location and the exact
>      changes required (for example, sending the inetd process a HUP signal or
>      killing and restarting the daemon).
>
>      If you are not able to temporarily disable the POP and IMAP services,
>      then you should at least limit access to the vulnerable services to
>      machines in your local network. This can be done by installing the
>      tcp_wrappers described in Section D, not only for logging but also for
>      access control. Note that even with access control via tcp_wrappers, you
>      are still vulnerable to attacks from hosts that are allowed to connect
>      to the vulnerable POP or IMAP service.
>
> D.  Additional precaution
>
>     Because IMAP or POP is launched out of inetd.conf, tcp_wrappers can be
>     installed to log connections which can then be examined for suspicious
>     activity. You may want to consider filtering connections at the firewall
>     to discard unwanted/unauthorized connections.
>
>     The tcp_wrappers tool is available in
>
>        ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.5.tar.gz
>
>        MD5 (tcp_wrappers_7.5.tar.gz) = 8c7a17a12d9be746e0488f7f6bfa4abb
>
>     Note that this precaution does not address the vulnerability described
>     in this advisory, but it is a good security practice in general.
>
>............................................................................
>
>Appendix A - Vendor Information
>
>Below is a list of the vendors who have provided information for this
>advisory. We will update this appendix as we receive additional information.
>If you do not see your vendor's name, the CERT/CC did not hear from that
>vendor. Please contact the vendor directly.
>
>
>Berkeley Software Design, Inc. (BSDI)
>=====================================
>
>  We're working on patches for both BSD/OS 2.1 and BSD/OS 3.0 for
>  imap (which we include as part of pine).
>
>Cray Research
>=============
>
>  Not vulnerable.
>
>Linux Systems
>=============
>
>  Red Hat
>  -------
>  The IMAP servers included with all versions of Red Hat Linux have
>  a buffer overrun which allow *remote* users to gain root access on
>  systems which run them. A fix for Red Hat 4.1 is now available
>  (details on it at the end of this note).
>
>  Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of previous
>  releases of Red Hat Linux are strongly encouraged to upgrade or simply
>  not run imap. You can remove imap from any machine running with Red
>  Hat Linux 2.0 or later by running the command "rpm -e imap", rendering
>  them immune to this problem.
>
>  All of the new packages are PGP signed with Red Hat's PGP key,
>  and may be obtained from ftp.redhat.com:/updates/4.1. If
>  you have direct Internet access, you may upgrade these packages on your
>  system with the following commands:
>
>  Intel:
>  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/imap-4.1.BETA-3.i386.rpm
>
>        MD5 (imap-4.1.BETA-3.i386.rpm) = 8ac64fff475ee43d409fc9776a6637a6
>
>  Alpha:
>  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/imap-4.1.BETA-3.alpha.rpm
>
>        MD5 (imap-4.1.BETA-3.alpha.rpm) = fd42ac24d7c4367ee51fd00e631cae5b
>
>  SPARC:
>  rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/imap-4.1.BETA-3.sparc.rpm
>
>        MD5 (imap-4.1.BETA-3.sparc.rpm) = 751598aae3d179284b8ea4d7a9b78868
>
>
>Sun Microsystems, Inc.
>======================
>
>  We are investigating the problem.
>
>University of Washington
>========================
>
>  This vulnerability has been detected in the University of Washington c-client
>  library used in the UW IMAP and POP servers.  This vulnerability affects all
>  versions of imapd prior to v10.165, all versions of ipop2d prior to 2.3(32),
>  and all versions of ipop3d prior to 3.3(27).
>
>  It is recommended that all sites using these servers upgrade to the
>  latest versions, available in the UW IMAP toolkit:
>
>        ftp://ftp.cac.washington.edu/mail/imap.tar.Z
>
>        MD5 (imap.tar.Z) = fb94453e8d2ada303e2db8d83d54bfb6
>
>
>  This is a source distribution which includes imapd, ipop2d, ipop3d. and
>  the c-client library.  The IMAP server in this distribution conforms with
>  RFC2060 (the IMAP4rev1 specification).
>
>  Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4
>  service may obtain a corrected IMAP2bis server as part of the latest
>  (3.96) UW Pine distribution, available at:
>
>        ftp://ftp.cac.washington.edu/pine/pine.tar.Z
>
>        MD5 (pine.tar.Z) = 37138f0d1ec3175cf1ffe6c062c9abbf
>
>- -----------------------------------------------------------------------------
>The CERT Coordination Center thanks the University of Washington's
>Computing and Communications staff for information relating to this
>advisory.
>- -----------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see http://www.first.org/team-info)
>
>
>CERT/CC Contact Information
>- ---------------------------
>Email    [log in to unmask]
>
>Phone    +1 412-268-7090 (24-hour hotline)
>                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
>                and are on call for emergencies during other hours.
>
>Fax      +1 412-268-6989
>
>Postal address
>         CERT Coordination Center
>         Software Engineering Institute
>         Carnegie Mellon University
>         Pittsburgh PA 15213-3890
>         USA
>
>Using encryption
>   We strongly urge you to encrypt sensitive information sent by email. We can
>   support a shared DES key or PGP. Contact the CERT/CC for more information.
>   Location of CERT PGP key
>         ftp://info.cert.org/pub/CERT_PGP.key
>
>Getting security information
>   CERT publications and other security information are available from
>        http://www.cert.org/
>        ftp://info.cert.org/pub/
>
>   CERT advisories and bulletins are also posted on the USENET newsgroup
>        comp.security.announce
>
>   To be added to our mailing list for advisories and bulletins, send
>   email to
>        [log in to unmask]
>   In the subject line, type
>        SUBSCRIBE  your-email-address
>
>- ---------------------------------------------------------------------------
>Copyright 1997 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided
>it is used for noncommercial purposes and the copyright statement is
>included.
>
>* Registered in the U.S. Patent and Trademark Office.
>
>- ---------------------------------------------------------------------------
>
>This file: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
>           http://www.cert.org
>               click on "CERT Advisories"
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Revision history
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBM0kvp3VP+x0t4w7BAQHiDwQAzvj0AH/xujQrqu43J18BSbkuccdHg5gn
>iNqAGoWG0rg6nUAutwJJenpvcf3ErzzIfHpvv+gwX7N6dyHma0KZlmDq1LxUlNp5
>b+rfOklPR7dT8/aIYeBwz8IuwF9kQMBYmK9KQk1w5iJTHFzfHdJGdRIj0XAyCjUU
>kooGrZuPKQg=
>=kxPN
>-----END PGP SIGNATURE-----
>


______________________/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Geoff Harper           Sales (US):   800 Net-Mail    Fax:+1 703 451-3720
   ______                         +1 703 569-9189    mailto:[log in to unmask]
  /__ |  \__________   Sales (Europe):+44(1480)414131 Fax:+44(1480)414134
 /  / | / ________     Sales (Pacific Rim):+61 3 9489 8216 (same for fax)
|  /_ |<  ______       Tech Support:+1 703 569-9189  Fax:+1 703 451-3720
 \ __)| \ ___          mailto:[log in to unmask]       Me: mailto:[log in to unmask]
  \______/Associates,  6901 Old Keene Mill Rd Suite 500 Springfield VA 22150
_________________Inc._/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Gopher: gopher.3k.com   Anon-FTP: ftp.3k.com  WWW: http://www.3k.com/