Vulnerabilities > CVE-2005-0546 - Remote Buffer Overflow vulnerability in Cyrus IMAPD

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
cyrus
nessus

Summary

Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.

Vulnerable Configurations

Part Description Count
Application
Cyrus
5

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-87-1.NASL
    descriptionSean Larsson discovered a buffer overflow in the IMAP
    last seen2020-06-01
    modified2020-06-02
    plugin id20712
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20712
    titleUbuntu 4.10 : cyrus21-imapd vulnerability (USN-87-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-87-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20712);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2005-0546");
      script_xref(name:"USN", value:"87-1");
    
      script_name(english:"Ubuntu 4.10 : cyrus21-imapd vulnerability (USN-87-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Sean Larsson discovered a buffer overflow in the IMAP 'annotate'
    extension. This possibly allowed an authenticated IMAP client to
    execute arbitrary code with the privileges of the Cyrus IMAP server.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-admin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-imapd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-murder");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:cyrus21-pop3d");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libcyrus-imap-perl21");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-admin", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-clients", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-common", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-dev", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-doc", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-imapd", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-murder", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"cyrus21-pop3d", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"libcyrus-imap-perl21", pkgver:"2.1.16-6ubuntu0.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "cyrus21-admin / cyrus21-clients / cyrus21-common / cyrus21-dev / etc");
    }
    
  • NASL familyGain a shell remotely
    NASL idCYRUS_IMAP_MULTIPLE_VULNERABILITIES.NASL
    descriptionAccording to its banner, the remote Cyrus IMAP server is affected by off-by-one errors in its imapd annotate extension and its cached header handling which can be triggered by an authenticated user, a buffer overflow in fetchnews that can be triggered by a peer news admin, and an unspecified stack-based buffer overflow in imapd.
    last seen2020-06-01
    modified2020-06-02
    plugin id17208
    published2005-02-24
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17208
    titleCyrus IMAP Server < 2.2.11 Multiple Remote Overflows
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200502-29.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200502-29 (Cyrus IMAP Server: Multiple overflow vulnerabilities) Possible single byte overflows have been found in the imapd annotate extension and mailbox handling code. Furthermore stack-based buffer overflows have been found in fetchnews, the backend and imapd. Impact : An attacker, who could be an authenticated user or an admin of a peering news server, could exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id17206
    published2005-02-23
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17206
    titleGLSA-200502-29 : Cyrus IMAP Server: Multiple overflow vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-051.NASL
    descriptionSeveral overruns have been fixed in the IMAP annote extension as well as in cached header handling which can be run by an authenticated user. As well, additional bounds checking in fetchnews was improved to avoid exploitation by a peer news admin.
    last seen2020-06-01
    modified2020-06-02
    plugin id17280
    published2005-03-06
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/17280
    titleMandrake Linux Security Advisory : cyrus-imapd (MDKSA-2005:051)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B2D248AD88F611D9AA180001020EED82.NASL
    descriptionThe Cyrus IMAP Server ChangeLog states : - Fix possible single byte overflow in mailbox handling code. - Fix possible single byte overflows in the imapd annotate extension. - Fix stack-based buffer overflows in fetchnews (exploitable by peer news server), backend (exploitable by admin), and in imapd (exploitable by users though only on platforms where a filename may be larger than a mailbox name). The 2.1.X series are reportedly only affected by the second issue. These issues may lead to execution of arbitrary code with the permissions of the user running the Cyrus IMAP Server.
    last seen2020-06-01
    modified2020-06-02
    plugin id19086
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19086
    titleFreeBSD : cyrus-imapd -- multiple buffer overflow vulnerabilities (b2d248ad-88f6-11d9-aa18-0001020eed82)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-408.NASL
    descriptionUpdated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18280
    published2005-05-17
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18280
    titleRHEL 4 : cyrus-imapd (RHSA-2005:408)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-339.NASL
    descriptionSeveral buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. In addition this version of the rpm contains a collection of other fixes since the last FC3 update (see below changelog). >>>>>>>>>>>><i> IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<< </I> This rpm also fixes bug #156121 that incorrectly placed some executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit libraries and this caused problems for existing scripts that expected to find them in a canonical location (/usr/lib/cyrus-imapd) and violated the multilib packaging guidelines. Only references external to the cyrus-imapd package are affected by this, the rpm is self consistent. The most notable example is /usr/lib64/cyrus-impad/deliver which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged in preference to deliver). This change only affects x86_64 installations. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id62256
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62256
    titleFedora Core 3 : cyrus-imapd-2.2.12-1.1.fc3 (2005-339)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-408.NASL
    descriptionUpdated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21935
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21935
    titleCentOS 4 : cyrus-imapd (CESA-2005:408)

Oval

accepted2013-04-29T04:07:38.898-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionMultiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
familyunix
idoval:org.mitre.oval:def:10674
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleMultiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
version27

Redhat

advisories
rhsa
idRHSA-2005:408
rpms
  • cyrus-imapd-0:2.2.12-3.RHEL4.1
  • cyrus-imapd-devel-0:2.2.12-3.RHEL4.1
  • cyrus-imapd-murder-0:2.2.12-3.RHEL4.1
  • cyrus-imapd-nntp-0:2.2.12-3.RHEL4.1
  • cyrus-imapd-utils-0:2.2.12-3.RHEL4.1
  • perl-Cyrus-0:2.2.12-3.RHEL4.1