J-Security Center

Title: Cyrus IMAPD Multiple Remote Vulnerabilities

Severity: CRITICAL

Description:

Cyrus IMAPD is a freely available, open source Interactive Mail Access Protocol (IMAP) daemon. It is available for Unix and Linux operating systems.

It is reported that Cyrus IMAPD is susceptible to multiple remote vulnerabilities.

The following specific issues have been identified:

The first vulnerability reportedly exists in the 'IMAPMAGICPLUS' support. This issue results from a failure of the application to properly bounds check the username as presented to the application prior to copying it to a fixed length memory buffer. This vulnerability exists prior to authentication, and is therefore reportedly exploitable by anonymous remote attackers. This vulnerability is reported to exist in versions from 2.2.4, up to and including version 2.2.8.

The second vulnerability reportedly exists in the parser for the 'PARTIAL' command. The parser equates 'body[p' to the 'body.peek' command. This results in a memory pointer being incorrectly incremented by 10 bytes rather than 5. Further processing on the affected memory pointer results in an incorrect offset that leads to accessing memory outside of the allocated buffer. A flaw in versions prior to 2.2.7 results in a single '\0' byte being written to a memory control structure, potentially leading to remote code execution in the context of the server application.

The third vulnerability reportedly exists in the parser for the 'FETCH' command. In a similar manner as the second issue, arguments containing 'body[p', or 'binary[p' may result in a memory pointer referencing regions outside of the allocated buffer. During further parsing, the 'PARSE_PARTIAL' macro is called, resulting in a corruption of a single byte, possibly resulting in remote code execution. Versions up to, and including 2.2.8 are reported susceptible.

The fourth vulnerability reportedly exists in the 'MULTIAPPENDS' support function, 'cmd_append'. In certain compilers, notably gcc 3.x, an array handling memory allocation routine may incorrectly increment a counter variable that is used to keep track of the number of elements in the array. When it comes time to deallocate the array, the result may be that 'free()' is called with an uninitialized, or possibly an attacker-supplied memory pointer. This may lead to remote code execution. Versions 2.2.7 and 2.2.8 are reportedly affected by this vulnerability.

These vulnerabilities reportedly allow remote, attacker-supplied machine code to be executed in the context of the affected server process. Cyrus-IMAPD is usually running as a non-privileged user.

Affected Products:

  • Apple Mac OS X 10.0.0
  • Apple Mac OS X 10.0.0 3
  • Apple Mac OS X 10.0.1
  • Apple Mac OS X 10.0.2
  • Apple Mac OS X 10.0.3
  • Apple Mac OS X 10.0.4
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.0
  • Apple Mac OS X 10.1.1
  • Apple Mac OS X 10.1.2
  • Apple Mac OS X 10.1.3
  • Apple Mac OS X 10.1.4
  • Apple Mac OS X 10.1.5
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X 10.3.7
  • Apple Mac OS X 10.3.8
  • Apple Mac OS X Server 10.0.0
  • Apple Mac OS X Server 10.1.0
  • Apple Mac OS X Server 10.1.1
  • Apple Mac OS X Server 10.1.2
  • Apple Mac OS X Server 10.1.3
  • Apple Mac OS X Server 10.1.4
  • Apple Mac OS X Server 10.1.5
  • Apple Mac OS X Server 10.2.0
  • Apple Mac OS X Server 10.2.1
  • Apple Mac OS X Server 10.2.2
  • Apple Mac OS X Server 10.2.3
  • Apple Mac OS X Server 10.2.4
  • Apple Mac OS X Server 10.2.5
  • Apple Mac OS X Server 10.2.6
  • Apple Mac OS X Server 10.2.7
  • Apple Mac OS X Server 10.2.8
  • Apple Mac OS X Server 10.3.0
  • Apple Mac OS X Server 10.3.1
  • Apple Mac OS X Server 10.3.2
  • Apple Mac OS X Server 10.3.3
  • Apple Mac OS X Server 10.3.4
  • Apple Mac OS X Server 10.3.5
  • Apple Mac OS X Server 10.3.6
  • Apple Mac OS X Server 10.3.7
  • Apple Mac OS X Server 10.3.8
  • Carnegie Mellon University Cyrus IMAP Server 2.1.10
  • Carnegie Mellon University Cyrus IMAP Server 2.1.16
  • Carnegie Mellon University Cyrus IMAP Server 2.1.7
  • Carnegie Mellon University Cyrus IMAP Server 2.1.9
  • Carnegie Mellon University Cyrus IMAP Server 2.2.0 .0 ALPHA
  • Carnegie Mellon University Cyrus IMAP Server 2.2.1 BETA
  • Carnegie Mellon University Cyrus IMAP Server 2.2.2 beta
  • Carnegie Mellon University Cyrus IMAP Server 2.2.3
  • Carnegie Mellon University Cyrus IMAP Server 2.2.4
  • Carnegie Mellon University Cyrus IMAP Server 2.2.5
  • Carnegie Mellon University Cyrus IMAP Server 2.2.6
  • Carnegie Mellon University Cyrus IMAP Server 2.2.7
  • Carnegie Mellon University Cyrus IMAP Server 2.2.8
  • Conectiva Linux 10.0.0
  • Conectiva Linux 9.0.0
  • Cyrusoft libSieve 2.1.2
  • Easy Software Products CUPS 1.1.20
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • OpenPKG OpenPKG Current
  • RedHat Fedora Core2
  • RedHat Fedora Core3
  • S.u.S.E. Linux 8.1.0
  • Trustix Secure Enterprise Linux 2.0.0
  • Trustix Secure Linux 2.0.0
  • Trustix Secure Linux 2.1.0
  • Trustix Secure Linux 2.2.0
  • Ubuntu Ubuntu Linux 4.1.0 ia32
  • Ubuntu Ubuntu Linux 4.1.0 ia64
  • Ubuntu Ubuntu Linux 4.1.0 ppc
  • Xpdf Xpdf 3.0.0 0
  • libpng libpng 1.0.15
  • libpng libpng3 1.2.5

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.