Vulnerabilities > CVE-2005-0198 - Remote Authentication Bypass vulnerability in University Of Washington IMAP Server CRAM-MD5

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
university-of-washington
nessus

Summary

A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.

Vulnerable Configurations

Part Description Count
Application
University_Of_Washington
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE9_9885.NASL
    descriptionThis update fixes a logical error in the challenge response authentication mechanism CRAM-MD5. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. (CVE-2005-0198)
    last seen2020-06-01
    modified2020-06-02
    plugin id41348
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41348
    titleSuSE9 Security Update : imap (YOU Patch Number 9885)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41348);
      script_version("1.8");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2005-0198");
    
      script_name(english:"SuSE9 Security Update : imap (YOU Patch Number 9885)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update fixes a logical error in the challenge response
    authentication mechanism CRAM-MD5. Due to this mistake a remote
    attacker can gain access to the IMAP server as arbitrary user.
    (CVE-2005-0198)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2005-0198/"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 9885.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"imap-2002e-92.4")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-026.NASL
    descriptionA vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup. The updated packages have been patched to prevent these problems.
    last seen2020-06-01
    modified2020-06-02
    plugin id16292
    published2005-02-02
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16292
    titleMandrake Linux Security Advisory : imap (MDKSA-2005:026)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:026. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16292);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2005-0198");
      script_xref(name:"CERT", value:"702777");
      script_xref(name:"MDKSA", value:"2005:026");
    
      script_name(english:"Mandrake Linux Security Advisory : imap (MDKSA-2005:026)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in the CRAM-MD5 authentication in
    UW-IMAP where, on the fourth failed authentication attempt, a user
    would be able to access the IMAP server regardless. This problem
    exists only if you are using CRAM-MD5 authentication and have an
    /etc/cram-md5.pwd file. This is not the default setup.
    
    The updated packages have been patched to prevent these problems."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64c-client-php0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64c-client-php0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libc-client-php0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libc-client-php0-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", reference:"imap-2002d-8.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"imap-devel-2002d-8.1.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"imap-utils-2002d-8.1.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", reference:"imap-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"imap-devel-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"imap-utils-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64c-client-php0-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64c-client-php0-devel-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libc-client-php0-2004-2.1.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libc-client-php0-devel-2004-2.1.101mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200502-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200502-02 (UW IMAP: CRAM-MD5 authentication bypass) A logic bug in the code handling CRAM-MD5 authentication incorrectly specifies the condition for successful authentication. Impact : An attacker could exploit this vulnerability to authenticate as any mail user on a server with CRAM-MD5 authentication enabled. Workaround : Disable CRAM-MD5 authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id16439
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16439
    titleGLSA-200502-02 : UW IMAP: CRAM-MD5 authentication bypass
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200502-02.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16439);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2005-0198");
      script_xref(name:"CERT", value:"702777");
      script_xref(name:"GLSA", value:"200502-02");
    
      script_name(english:"GLSA-200502-02 : UW IMAP: CRAM-MD5 authentication bypass");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200502-02
    (UW IMAP: CRAM-MD5 authentication bypass)
    
        A logic bug in the code handling CRAM-MD5 authentication incorrectly
        specifies the condition for successful authentication.
      
    Impact :
    
        An attacker could exploit this vulnerability to authenticate as any
        mail user on a server with CRAM-MD5 authentication enabled.
      
    Workaround :
    
        Disable CRAM-MD5 authentication."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200502-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All UW IMAP users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=net-mail/uw-imap-2004b'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:uw-imap");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-mail/uw-imap", unaffected:make_list("ge 2004b"), vulnerable:make_list("le 2004a"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "UW IMAP");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_012.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:012 (imap). The University of Washington imap daemon can be used to access mails remotely using the IMAP protocol. This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5 used by UW IMAP. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. This is tracked by the Mitre CVE ID CVE-2005-0198.
    last seen2020-06-01
    modified2020-06-02
    plugin id17242
    published2005-03-01
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17242
    titleSUSE-SA:2005:012: imap
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:012
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(17242);
     script_version ("1.10");
     script_cve_id("CVE-2005-0198");
     
     name["english"] = "SUSE-SA:2005:012: imap";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2005:012 (imap).
    
    
    The University of Washington imap daemon can be used to access mails
    remotely using the IMAP protocol.
    
    This update fixes a logical error in the challenge response
    authentication mechanism CRAM-MD5 used by UW IMAP. Due to this
    mistake a remote attacker can gain access to the IMAP server as
    arbitrary user.
    
    This is tracked by the Mitre CVE ID CVE-2005-0198." );
     script_set_attribute(attribute:"solution", value:
    "http://www.suse.de/security/advisories/2005_12_imap.html" );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/01");
      script_cvs_date("Date: 2019/10/25 13:36:28");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the imap package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"imap-2002-56", release:"SUSE8.2") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"imap-2002d-59", release:"SUSE9.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"imap-2002e-92.4", release:"SUSE9.1") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"imap-2004a-3.2", release:"SUSE9.2") )
    {
     security_hole(0);
     exit(0);
    }
    if (rpm_exists(rpm:"imap-", release:"SUSE8.2")
     || rpm_exists(rpm:"imap-", release:"SUSE9.0")
     || rpm_exists(rpm:"imap-", release:"SUSE9.1")
     || rpm_exists(rpm:"imap-", release:"SUSE9.2") )
    {
     set_kb_item(name:"CVE-2005-0198", value:TRUE);
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_D1BBC235C0C945CD8D2DC1B8FD22E616.NASL
    descriptionThe CRAM-MD5 authentication support of the University of Washington IMAP and POP3 servers contains a vulnerability that may allow an attacker to bypass authentication and impersonate arbitrary users. Only installations with CRAM-MD5 support configured are affected.
    last seen2020-06-01
    modified2020-06-02
    plugin id19131
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19131
    titleFreeBSD : imap-uw -- authentication bypass when CRAM-MD5 is enabled (d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19131);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:37");
    
      script_cve_id("CVE-2005-0198");
      script_xref(name:"CERT", value:"702777");
    
      script_name(english:"FreeBSD : imap-uw -- authentication bypass when CRAM-MD5 is enabled (d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The CRAM-MD5 authentication support of the University of Washington
    IMAP and POP3 servers contains a vulnerability that may allow an
    attacker to bypass authentication and impersonate arbitrary users.
    Only installations with CRAM-MD5 support configured are affected."
      );
      # https://vuxml.freebsd.org/freebsd/d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?092e038d"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:imap-uw");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/06/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"imap-uw<2004b,1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-128.NASL
    descriptionUpdated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id17207
    published2005-02-23
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17207
    titleRHEL 3 : imap (RHSA-2005:128)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:128. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17207);
      script_version ("1.22");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2005-0198");
      script_xref(name:"CERT", value:"702777");
      script_xref(name:"RHSA", value:"2005:128");
    
      script_name(english:"RHEL 3 : imap (RHSA-2005:128)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated imap packages to correct a security vulnerability in CRAM-MD5
    authentication are now available for Red Hat Enterprise Linux 3.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    The imap package provides server daemons for both the IMAP (Internet
    Message Access Protocol) and POP (Post Office Protocol) mail access
    protocols.
    
    A logic error in the CRAM-MD5 code in the University of Washington
    IMAP (UW-IMAP) server was discovered. When Challenge-Response
    Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does
    not properly enforce all the required conditions for successful
    authentication, which could allow remote attackers to authenticate as
    arbitrary users. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CVE-2005-0198 to this issue.
    
    All users of imap should upgrade to these updated packages, which
    contain a backported patch and are not vulnerable to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:128"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected imap, imap-devel and / or imap-utils packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:128";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL3", reference:"imap-2002d-11")) flag++;
      if (rpm_check(release:"RHEL3", reference:"imap-devel-2002d-11")) flag++;
      if (rpm_check(release:"RHEL3", reference:"imap-utils-2002d-11")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "imap / imap-devel / imap-utils");
      }
    }
    
  • NASL familyMisc.
    NASL idUW_IMAP_CRAMMD5_BYPASS.NASL
    descriptionThere is a flaw in the remote UW-IMAP server which allows an authenticated user to log into the server as any user. The flaw is in the CRAM-MD5 authentication theme. An attacker, exploiting this flaw, would only need to identify a vulnerable UW-IMAP server which had enabled the CRAM-MD5 authentication scheme. The attacker would then be able to log in as any valid user. It is important to note that the IMAP daemon will automatically enable CRAM-MD5 if the /etc/cram-md5.pwd file exists.
    last seen2020-06-01
    modified2020-06-02
    plugin id16272
    published2005-01-29
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16272
    titleUW-IMAP CRAM-MD5 Remote Authentication Bypass

Oval

accepted2013-04-29T04:13:07.330-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionA logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.
familyunix
idoval:org.mitre.oval:def:11306
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleBuffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence.
version25

Redhat

advisories
rhsa
idRHSA-2005:128
rpms
  • imap-1:2002d-11
  • imap-debuginfo-1:2002d-11
  • imap-devel-1:2002d-11
  • imap-utils-1:2002d-11