[Japanese]

JVNDB-2007-000295

APOP password recovery vulnerability

Overview

POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.

It is reported that APOP passwords could be recovered by third parties.

In its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.
CVSS Severity (What is CVSS?)

Base Metrics: 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


Claws Mail
  • Claws Mail 2.9.0 and earlier
Fetchmail Project
  • Fetchmail earlier than 6.3.8
mozilla.org contributors
  • Mozilla SeaMonkey 1.0.8 and earlier
  • Mozilla SeaMonkey 1.1.1 and earlier
  • Mozilla Thunderbird 1.5.0.11 and earlier
  • Mozilla Thunderbird 2.0.0.3 and earlier
mpop
  • mpop 1.0.8 and earlier
Mutt
  • Mutt 1.4.2.2 and earlier
Sylpheed
  • Sylpheed 2.3.1 and earlier
Turbolinux, Inc.
  • Turbolinux 10 Desktop
  • Turbolinux 10 F...
  • Turbolinux 10 Server
  • Turbolinux 10 Server x64 Edition
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Home
  • wizpy
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
  • MIRACLE LINUX V4.0
  • MIRACLE LINUX V4.0 for x86-64
Red Hat, Inc.
  • RHEL Optional Productivity Applications (v.5 server)
  • Red Hat Desktop (v.3)
  • Red Hat Desktop (v.4)
  • Red Hat Enterprise Linux (v.5 server)
  • Red Hat Enterprise Linux AS (v.2.1)
  • Red Hat Enterprise Linux AS (v.3)
  • Red Hat Enterprise Linux AS (v.4)
  • Red Hat Enterprise Linux AS (v.4.8.z)
  • Red Hat Enterprise Linux Desktop (v.5 client)
  • Red Hat Enterprise Linux ES (v.2.1)
  • Red Hat Enterprise Linux ES (v.3)
  • Red Hat Enterprise Linux ES (v.4)
  • Red Hat Enterprise Linux ES (v.4.8.z)
  • Red Hat Enterprise Linux EUS (v. 5.3.z server)
  • Red Hat Enterprise Linux WS (v.2.1)
  • Red Hat Enterprise Linux WS (v.3)
  • Red Hat Enterprise Linux WS (v.4)
  • Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
  • RHEL Desktop Workstation (v.5 client)

Impact

APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.
Solution

APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.

As this is a protocol issue, software fixes cannot solve the issue essentially. Encrypted communications such as POP over SSL are recommended. Moreover, users should use different passwords for different services or accounts to minimize the risk of their accounts to be compromised.
Vendor Information

Claws Mail Fetchmail Project mozilla.org contributors mpop Mutt Sylpheed Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-1558
References

  1. JVN : JVNTA07-151A (Japanese)
  2. JVN : JVN#19445002
  3. JVN Status Tracking Notes : TRTA07-151A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2007-1558
  5. US-CERT Cyber Security Alerts : SA07-151A
  6. US-CERT Technical Cyber Security Alert : TA07-151A
  7. SecurityFocus : 23257
  8. SecurityTracker : 1018008
  9. FrSIRT Advisories : FrSIRT/ADV-2007-1466
  10. FrSIRT Advisories : FrSIRT/ADV-2007-1480
  11. FrSIRT Advisories : FrSIRT/ADV-2007-1468
  12. FrSIRT Advisories : FrSIRT/ADV-2007-1467
  13. IETF : RFC1939:Post Office Protocol - Version 3
Revision History

[2008/05/21]
  Web page published
[2009/08/06]
  Affected Products : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
  Affected Products : Added MIRACLE LINUX CORPORATION (1746).  
  Affected Products : Added Red Hat, Inc. (RHSA-2009:1140).
  Vendor Information : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
  Vendor Information : Added MIRACLE LINUX CORPORATION (1746).
  Vendor Information : Added Red Hat, Inc. (RHSA-2009:1140).