Possible Vulnerable IMAP and POP
Note: Vulnerabilities described here cannot be confirmed as
described in Vulnerable IMAP and POP
Versions as (1) the data compromise is more limited or (2) SARA could
not confirm the vulnerability.
Remote users could obtain root access on systems running a vulnerable
IMAP or POP that is vulnerable to buffer overflow
Access to an account on the system is not needed to exploit this vulnerability.
IMAP provides remote access to a user's mailbox. It maintains a list
of unread as well as read messages so that a user gets the same "view" in a multiple
mail client environment.
POPis similar to IMAP but all received mail is loaded
to the mail client. That is, the client connects to the server to download mail that
the server is holding for the client. The mail is deleted from the server and is handled
offline (locally) on the client machine.
This vulnerability allows remote intruders to execute arbitrary commands under the
privleges of the process running the vulnerable IMAP server. If the
vulnerable IMAP server is running as root, remote intruders can gain root access.
If applicable, install a patch from your vendor or upgrade to the
of IMAP. If your POP server is based on the University
of Washington IMAP server code, you should also upgrade to the
version of IMAP.
Until you can take one of the above actions, temporarily disable the POP
and IMAP services. On many systems, you will need to edit the
/etc/inetd.conf file. However, you should check your vendor's
documentation because systems vary in file location and the exact changes required
(for example, sending the inetd process a HUP signal or killing and
restarting the daemon).
Where can I read more about this?
Read more about this vulnerability in
CERT Advisory 97.09,
CERT Advisory 98.08, and
CERT Advisory 98.09.