A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.

This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user.
(CVE-2005-0198)

The CRAM-MD5 authentication support of the University of Washington IMAP and POP3 servers contains a vulnerability that may allow an attacker to bypass authentication and impersonate arbitrary users.
Only installations with CRAM-MD5 support configured are affected.

The remote host is missing the patch for the advisory SUSE-SA:2005:012 (imap).


The University of Washington imap daemon can be used to access mails remotely using the IMAP protocol.

This update fixes a logical error in the challenge response authentication mechanism CRAM-MD5 used by UW IMAP. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user.

This is tracked by the Mitre CVE ID CVE-2005-0198.

Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The imap package provides server daemons for both the IMAP (Internet Message Access Protocol) and POP (Post Office Protocol) mail access protocols.

A logic error in the CRAM-MD5 code in the University of Washington IMAP (UW-IMAP) server was discovered. When Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, UW-IMAP does not properly enforce all the required conditions for successful authentication, which could allow remote attackers to authenticate as arbitrary users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0198 to this issue.

All users of imap should upgrade to these updated packages, which contain a backported patch and are not vulnerable to this issue.

The remote host is affected by the vulnerability described in GLSA-200502-02 (UW IMAP: CRAM-MD5 authentication bypass)

    A logic bug in the code handling CRAM-MD5 authentication incorrectly     specifies the condition for successful authentication.
  Impact :

    An attacker could exploit this vulnerability to authenticate as any     mail user on a server with CRAM-MD5 authentication enabled.
  Workaround :

    Disable CRAM-MD5 authentication.

A vulnerability was discovered in the CRAM-MD5 authentication in UW-IMAP where, on the fourth failed authentication attempt, a user would be able to access the IMAP server regardless. This problem exists only if you are using CRAM-MD5 authentication and have an /etc/cram-md5.pwd file. This is not the default setup.

The updated packages have been patched to prevent these problems.

There is a flaw in the remote UW-IMAP server which allows an authenticated user to log into the server as any user.  The flaw is in the CRAM-MD5 authentication theme. 

An attacker, exploiting this flaw, would only need to identify a vulnerable UW-IMAP server which had enabled the CRAM-MD5 authentication scheme. The attacker would then be able to log in as any valid user.

It is important to note that the IMAP daemon will automatically enable CRAM-MD5 if the /etc/cram-md5.pwd file exists.

There is a flaw in the remote UW-IMAP server that allows an authenticated user to log into the server as any user.  The flaw is in the CRAM-MD5 authentication theme.  An attacker exploiting this flaw would only need to identify a vulnerable UW-IMAP server that had enabled the CRAM-MD5 authentication scheme.  The attacker would then be able to log in as any valid user.
It is important to note that the IMAP daemon will automatically enable CRAM-MD5 if the /etc/cram-md5.pwd file exists.

ID	Name	Product	Family	Severity
41348	SuSE9 Security Update : imap (YOU Patch Number 9885)	Nessus	SuSE Local Security Checks	high
19131	FreeBSD : imap-uw -- authentication bypass when CRAM-MD5 is enabled (d1bbc235-c0c9-45cd-8d2d-c1b8fd22e616)	Nessus	FreeBSD Local Security Checks	high
17242	SUSE-SA:2005:012: imap	Nessus	SuSE Local Security Checks	high
17207	RHEL 3 : imap (RHSA-2005:128)	Nessus	Red Hat Local Security Checks	high
16439	GLSA-200502-02 : UW IMAP: CRAM-MD5 authentication bypass	Nessus	Gentoo Local Security Checks	high
16292	Mandrake Linux Security Advisory : imap (MDKSA-2005:026)	Nessus	Mandriva Local Security Checks	high
16272	UW-IMAP CRAM-MD5 Remote Authentication Bypass	Nessus	Misc.	high
2568	UW-imapd CRAM-MD5 Authentication Bypass	Nessus Network Monitor	IMAP Servers	medium

Detections

Analytics

CVE-2005-0198

critical

Tenable Plugins

high

high

high

high

high

high

high

medium