Possible Vulnerable IMAP and POP Versions

Impact

Note: Vulnerabilities described here cannot be confirmed as described in Vulnerable IMAP and POP Versions as (1) the data compromise is more limited or (2) SARA could not confirm the vulnerability.

Remote users could obtain root access on systems running a vulnerable IMAP or POP that is vulnerable to buffer overflow attacks. Access to an account on the system is not needed to exploit this vulnerability.

Background

IMAP provides remote access to a user's mailbox. It maintains a list of unread as well as read messages so that a user gets the same "view" in a multiple mail client environment.

POPis similar to IMAP but all received mail is loaded to the mail client. That is, the client connects to the server to download mail that the server is holding for the client. The mail is deleted from the server and is handled offline (locally) on the client machine.

The Problem

This vulnerability allows remote intruders to execute arbitrary commands under the privleges of the process running the vulnerable IMAP server. If the vulnerable IMAP server is running as root, remote intruders can gain root access.

Resolution

If applicable, install a patch from your vendor or upgrade to the latest version of IMAP. If your POP server is based on the University of Washington IMAP server code, you should also upgrade to the latest version of IMAP.

Until you can take one of the above actions, temporarily disable the POP and IMAP services. On many systems, you will need to edit the /etc/inetd.conf file. However, you should check your vendor's documentation because systems vary in file location and the exact changes required (for example, sending the inetd process a HUP signal or killing and restarting the daemon).

Where can I read more about this?

Read more about this vulnerability in CERT Advisory 97.09, CERT Advisory 98.08, and CERT Advisory 98.09.