Executive Summary
Summary | |
---|---|
Title | imap security update |
Informations | |||
---|---|---|---|
Name | RHSA-2005:128 | First vendor Publication | 2005-02-23 |
Vendor | RedHat | Last vendor Modification | 2005-02-23 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/): 145469 - CAN-2005-0198 user validation issue in imap when using CRAM-MD5 authetication |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2005-128.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11306 | |||
Oval ID: | oval:org.mitre.oval:def:11306 | ||
Title: | Buffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence. | ||
Description: | A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0198 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2009-10-10 | Name : SLES9: Security update for imap File : nvt/sles9p5009350.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200502-02 (uw-imap) File : nvt/glsa_200502_02.nasl |
2008-09-04 | Name : FreeBSD Ports: imap-uw File : nvt/freebsd_imap-uw.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
13242 | UW-imapd CRAM-MD5 Authentication Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_9885.nasl - Type : ACT_GATHER_INFO |
2005-07-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_d1bbc235c0c945cd8d2dc1b8fd22e616.nasl - Type : ACT_GATHER_INFO |
2005-03-01 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2005_012.nasl - Type : ACT_GATHER_INFO |
2005-02-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-128.nasl - Type : ACT_GATHER_INFO |
2005-02-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200502-02.nasl - Type : ACT_GATHER_INFO |
2005-02-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-026.nasl - Type : ACT_GATHER_INFO |
2005-01-29 | Name : The remote host has an application that is affected by an authentication bypa... File : uw_imap_crammd5_bypass.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:49:03 |
|