Vulnerabilities > CVE-2005-0198 - Remote Authentication Bypass vulnerability in University Of Washington IMAP Server CRAM-MD5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE9_9885.NASL description This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. (CVE-2005-0198) last seen 2020-06-01 modified 2020-06-02 plugin id 41348 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41348 title SuSE9 Security Update : imap (YOU Patch Number 9885) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41348); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_cve_id("CVE-2005-0198"); script_name(english:"SuSE9 Security Update : imap (YOU Patch Number 9885)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. (CVE-2005-0198)" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2005-0198/" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 9885."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"imap-2002e-92.4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-026.NASL description A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup. The updated packages have been patched to prevent these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 16292 published 2005-02-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16292 title Mandrake Linux Security Advisory : imap (MDKSA-2005:026) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:026. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(16292); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-0198"); script_xref(name:"CERT", value:"702777"); script_xref(name:"MDKSA", value:"2005:026"); script_name(english:"Mandrake Linux Security Advisory : imap (MDKSA-2005:026)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup. The updated packages have been patched to prevent these problems." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:imap-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64c-client-php0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64c-client-php0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libc-client-php0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libc-client-php0-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"imap-2002d-8.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"imap-devel-2002d-8.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"imap-utils-2002d-8.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"imap-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"imap-devel-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"imap-utils-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64c-client-php0-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64c-client-php0-devel-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libc-client-php0-2004-2.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libc-client-php0-devel-2004-2.1.101mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200502-02.NASL description The remote host is affected by the vulnerability described in GLSA-200502-02 (UW IMAP: CRAM-MD5 authentication bypass) A logic bug in the code handling CRAM-MD5 authentication incorrectly specifies the condition for successful authentication. Impact : An attacker could exploit this vulnerability to authenticate as any mail user on a server with CRAM-MD5 authentication enabled. Workaround : Disable CRAM-MD5 authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 16439 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16439 title GLSA-200502-02 : UW IMAP: CRAM-MD5 authentication bypass code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200502-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(16439); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0198"); script_xref(name:"CERT", value:"702777"); script_xref(name:"GLSA", value:"200502-02"); script_name(english:"GLSA-200502-02 : UW IMAP: CRAM-MD5 authentication bypass"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200502-02 (UW IMAP: CRAM-MD5 authentication bypass) A logic bug in the code handling CRAM-MD5 authentication incorrectly specifies the condition for successful authentication. Impact : An attacker could exploit this vulnerability to authenticate as any mail user on a server with CRAM-MD5 authentication enabled. Workaround : Disable CRAM-MD5 authentication." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200502-02" ); script_set_attribute( attribute:"solution", value: "All UW IMAP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-mail/uw-imap-2004b'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:uw-imap"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-mail/uw-imap", unaffected:make_list("ge 2004b"), vulnerable:make_list("le 2004a"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "UW IMAP"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_012.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:012 (imap). The University of Washington imap daemon can be used to access mails remotely using the IMAP protocol. This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5 used by UW IMAP. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. This is tracked by the Mitre CVE ID CVE-2005-0198. last seen 2020-06-01 modified 2020-06-02 plugin id 17242 published 2005-03-01 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17242 title SUSE-SA:2005:012: imap code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:012 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(17242); script_version ("1.10"); script_cve_id("CVE-2005-0198"); name["english"] = "SUSE-SA:2005:012: imap"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2005:012 (imap). The University of Washington imap daemon can be used to access mails remotely using the IMAP protocol. This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5 used by UW IMAP. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. This is tracked by the Mitre CVE ID CVE-2005-0198." ); script_set_attribute(attribute:"solution", value: "http://www.suse.de/security/advisories/2005_12_imap.html" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/03/01"); script_cvs_date("Date: 2019/10/25 13:36:28"); script_end_attributes(); summary["english"] = "Check for the version of the imap package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"imap-2002-56", release:"SUSE8.2") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"imap-2002d-59", release:"SUSE9.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"imap-2002e-92.4", release:"SUSE9.1") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"imap-2004a-3.2", release:"SUSE9.2") ) { security_hole(0); exit(0); } if (rpm_exists(rpm:"imap-", release:"SUSE8.2") || rpm_exists(rpm:"imap-", release:"SUSE9.0") || rpm_exists(rpm:"imap-", release:"SUSE9.1") || rpm_exists(rpm:"imap-", release:"SUSE9.2") ) { set_kb_item(name:"CVE-2005-0198", value:TRUE); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_D1BBC235C0C945CD8D2DC1B8FD22E616.NASL description The CRAM-MD5 authentication support of the University of Washington IMAP and POP3 servers contains a vulnerability that may allow an attacker to bypass authentication and impersonate arbitrary users. Only installations with CRAM-MD5 support configured are affected. last seen 2020-06-01 modified 2020-06-02 plugin id 19131 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19131 title FreeBSD : imap-uw -- authentication bypass when CRAM-MD5 is enabled (d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19131); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0198"); script_xref(name:"CERT", value:"702777"); script_name(english:"FreeBSD : imap-uw -- authentication bypass when CRAM-MD5 is enabled (d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The CRAM-MD5 authentication support of the University of Washington IMAP and POP3 servers contains a vulnerability that may allow an attacker to bypass authentication and impersonate arbitrary users. Only installations with CRAM-MD5 support configured are affected." ); # https://vuxml.freebsd.org/freebsd/d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?092e038d" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:imap-uw"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/04"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"imap-uw<2004b,1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-128.NASL description Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 17207 published 2005-02-23 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17207 title RHEL 3 : imap (RHSA-2005:128) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:128. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(17207); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-0198"); script_xref(name:"CERT", value:"702777"); script_xref(name:"RHSA", value:"2005:128"); script_name(english:"RHEL 3 : imap (RHSA-2005:128)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols. A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0198 to this issue. All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0198" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:128" ); script_set_attribute( attribute:"solution", value:"Update the affected imap, imap-devel and / or imap-utils packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:imap-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:128"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL3", reference:"imap-2002d-11")) flag++; if (rpm_check(release:"RHEL3", reference:"imap-devel-2002d-11")) flag++; if (rpm_check(release:"RHEL3", reference:"imap-utils-2002d-11")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "imap / imap-devel / imap-utils"); } }NASL family Misc. NASL id UW_IMAP_CRAMMD5_BYPASS.NASL description There is a flaw in the remote UW-IMAP server which allows an authenticated user to log into the server as any user. The flaw is in the CRAM-MD5 authentication theme. An attacker, exploiting this flaw, would only need to identify a vulnerable UW-IMAP server which had enabled the CRAM-MD5 authentication scheme. The attacker would then be able to log in as any valid user. It is important to note that the IMAP daemon will automatically enable CRAM-MD5 if the /etc/cram-md5.pwd file exists. last seen 2020-06-01 modified 2020-06-02 plugin id 16272 published 2005-01-29 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16272 title UW-IMAP CRAM-MD5 Remote Authentication Bypass
Oval
| accepted | 2013-04-29T04:13:07.330-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:11306 | ||||||||
| status | accepted | ||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||
| title | Buffer overflow in enscript before 1.6.4 has unknown impact and attack vectors, possibly related to the font escape sequence. | ||||||||
| version | 25 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://secunia.com/advisories/14057
- http://secunia.com/advisories/14097
- http://securitytracker.com/id?1013037
- http://www.gentoo.org/security/en/glsa/glsa-200502-02.xml
- http://www.kb.cert.org/vuls/id/702777
- http://www.kb.cert.org/vuls/id/CRDY-68QSL5
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:026
- http://www.redhat.com/support/errata/RHSA-2005-128.html
- http://www.securityfocus.com/bid/12391
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11306