UW-IMAP CRAM-MD5 Remote Authentication Bypass

high Nessus Plugin ID 16272

Synopsis

The remote host has an application that is affected by an authentication bypass vulnerability.

Description

There is a flaw in the remote UW-IMAP server which allows an authenticated user to log into the server as any user. The flaw is in the CRAM-MD5 authentication theme.

An attacker, exploiting this flaw, would only need to identify a vulnerable UW-IMAP server which had enabled the CRAM-MD5 authentication scheme. The attacker would then be able to log in as any valid user.

It is important to note that the IMAP daemon will automatically enable CRAM-MD5 if the /etc/cram-md5.pwd file exists.

Solution

Upgrade to the most recent version of UW-IMAP.
In addition, the fact that CRAM-MD5 is enabled indicates that the server is storing the IMAP passwords in plaintext.
Ensure that the /etc/cram-md5.pwd file is mode 0400.

Plugin Details

Severity: High

ID: 16272

File Name: uw_imap_crammd5_bypass.nasl

Version: 1.11

Type: remote

Family: Misc.

Published: 1/29/2005

Updated: 8/6/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

Excluded KB Items: imap/false_imap

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/4/2005

Reference Information

CVE: CVE-2005-0198

BID: 12391