Detections
Analytics

Mandrake Linux Security Advisory : fetchmail (MDKSA-2007:105)

low Nessus Plugin ID 25265

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

The APOP functionality in fetchmail's POP3 client implementation was validating the APOP challenge too lightly, accepting random garbage as a POP3 server's APOP challenge, rather than insisting it conform to RFC-822 specifications.

As a result of this flaw, it made man-in-the-middle attacks easier than necessary to retrieve the first few characters of the APOP secret, allowing them to potentially brute force the remaining characters easier than should be possible.

Updated packages have been patched to prevent these issues, however it should be noted that the APOP MD5-based authentication scheme should no longer be considered secure.

Solution

Update the affected fetchmail, fetchmail-daemon and / or fetchmailconf packages.

See Also

http://www.fetchmail.info/fetchmail-SA-2007-01.txt

Plugin Details

Severity: Low

ID: 25265

File Name: mandrake_MDKSA-2007-105.nasl

Version: 1.14

Type: local

Published: 5/20/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/o:mandriva:linux:2007.1, p-cpe:/a:mandriva:linux:fetchmail-daemon, cpe:/o:mandriva:linux:2007, p-cpe:/a:mandriva:linux:fetchmailconf, p-cpe:/a:mandriva:linux:fetchmail

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 5/17/2007

Reference Information

CVE: CVE-2007-1558

MDKSA: 2007:105