**************************************************************************
Security Bulletin 9704 DISA Defense Communications System
April 8, 1997 Published by: DISN Security Coordination Center
(SCC@NIC.MIL) 1-(800) 365-3642
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.MIL [207.132.116.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9615.txt). They are also available on our WWW site at http://nic.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Computer !
! Emergency Response Team (CERT) and is being relayed unedited !
! via the Defense Information Systems Agency's Security !
! Coordination Center distribution system as a means of !
! providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - +
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in some versions of the Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) implementations (imapd, ipop2d, and ipop3d). Information about this vulnerability has been publicly distributed.
By exploiting this vulnerability, remote users can obtain unauthorized root access.
The CERT/CC team recommends installing a patch if one is available or upgrading to IMAP4rev1. Until you can do so, we recommend disabling the IMAP and POP services at your site.
We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
The current version of Internet Message Access Protocol (IMAP) supports
both online and offline operation, permitting manipulation of remote
message folders. It provides access to multiple mailboxes (possibly on
multiple servers), and supports nested mailboxes as well as
resynchronization with the server. The current version also provides a
user with the ability to create, delete, and rename mailboxes. Additional
details concerning the functionality of IMAP can be found in RFC 2060
(the IMAP4rev1 specification) available from
http://ds.internic.net/rfc/rfc2060.txt
The Post Office Protocol (POP) was designed to support offline mail processing. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.
In both protocols, the server must run with root privileges so it can access mail folders and undertake some file manipulation on behalf of the user logging in. After login, these privileges are discarded. However, a vulnerability exists in the way the login transaction is handled, and this can be exploited to gain privileged access on the server. By preparing carefully crafted text to a system running a vulnerable version of these servers, remote users may be able to cause a buffer overflow and execute arbitrary instructions with root privileges.
Information about this vulnerability has been widely distributed.
Remote users can obtain root access on systems running a vulnerable IMAP or POP server. They do not need access to an account on the system to do this.
Install a patch from your vendor (see Section A) or upgrade to the latest version of IMAP (Section B). If your POP server is based on the University of Washington IMAP server code, you should also upgrade to the latest version of IMAP. Until you can take one of these actions, you should disable services (Section C). In all cases, we urge you to take the additional precaution described in Section D.
Below is a list of vendors who have provided information about this vulnerability. Details are in Appendix A of this advisory; we will update the appendix as we receive more information. If your vendor's name is not on this list, please contact your vendor directly.
An alternative to installing vendor patches is upgrading to IMAP4rev1,
which is available from
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
Until you can take one of the above actions, temporarily disable the POP and IMAP services. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon).
If you are not able to temporarily disable the POP and IMAP services, then you should at least limit access to the vulnerable services to machines in your local network. This can be done by installing the tcp_wrappers described in Section D, not only for logging but also for access control. Note that even with access control via tcp_wrappers, you are still vulnerable to attacks from hosts that are allowed to connect to the vulnerable POP or IMAP service.
Because IMAP or POP is launched out of inetd.conf, tcp_wrappers can be installed to log connections which can then be examined for suspicious activity. You may want to consider filtering connections at the firewall to discard unwanted/unauthorized connections.
The tcp_wrappers tool is available in
ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.5.tar.gz
MD5 (tcp_wrappers_7.5.tar.gz) = 8c7a17a12d9be746e0488f7f6bfa4abb
Note that this precaution does not address the vulnerability described in this advisory, but it is a good security practice in general.
...........................................................................
Below is a list of the vendors who have provided
information for this advisory. We will update this appendix as
we receive additional information. If you do not see your vendor's
name, the CERT/CC did not hear from that vendor. Please contact
the vendor directly.
=====================================
We're working on patches for both BSD/OS 2.1 and BSD/OS 3.0 for imap (which we include as part of pine).
Not vulnerable.
The IMAP servers included with all versions of Red Hat Linux have a buffer overrun which allow *remote* users to gain root access on systems which run them. A fix for Red Hat 4.1 is now available (details on it at the end of this note).
Users of Red Hat 4.0 should apply the Red Hat 4.1 fix. Users of previous releases of Red Hat Linux are strongly encouraged to upgrade or simply not run imap. You can remove imap from any machine running with Red Hat Linux 2.0 or later by running the command "rpm -e imap", rendering them immune to this problem.
All of the new packages are PGP signed with Red Hat's PGP key, and may be obtained from ftp.redhat.com:/updates/4.1. If you have direct Internet access, you may upgrade these packages on your system with the following commands:
Intel:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/i386/imap-4.1.BETA-3.i386.rpm
Alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/alpha/imap-4.1.BETA-3.alpha.rpm
MD5 (imap-4.1.BETA-3.alpha.rpm) = fd42ac24d7c4367ee51fd00e631cae5b
rpm -Uvh ftp://ftp.redhat.com/updates/4.1/sparc/imap-4.1.BETA-3.sparc.rpm
======================
We are investigating the problem.
This vulnerability has been detected in the University of Washington c-client library used in the UW IMAP and POP servers. This vulnerability affects all versions of imapd prior to v10.165, all versions of ipop2d prior to 2.3(32), and all versions of ipop3d prior to 3.3(27).
It is recommended that all sites using these servers upgrade to the latest versions, available in the UW IMAP toolkit:
ftp://ftp.cac.washington.edu/mail/imap.tar.Z
This is a source distribution which includes imapd, ipop2d, ipop3d. and the c-client library. The IMAP server in this distribution conforms with RFC2060 (the IMAP4rev1 specification).
Sites which are not yet prepared to upgrade from IMAP2bis to IMAP4 service may obtain a corrected IMAP2bis server as part of the latest (3.96) UW Pine distribution, available at:
ftp://ftp.cac.washington.edu/pine/pine.tar.Z
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks the University of Washington's Computing and Communications staff for information relating to this advisory.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised,
contact the CERT Coordination Center or your representative in
the Forum of Incident Response and Security Teams (see http://www.first.org/team-info)
- ---------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information.
ftp://info.cert.org/pub/CERT_PGP.key
CERT publications and other security information are available from
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ****************************************************************************
* *
* *
* *
* *
* *
* *
* *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts.
This document was prepared as an service to the DOD
community. Neither the United States Government nor any of their
employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed,
or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government. The
opinions of the authors expressed herein do not necessarily state
or reflect those of the United States Government, and shall not
be used for advertising or product endorsement purposes.