|
[Japanese]
|
JVNDB-2007-000295
|
APOP password recovery vulnerability
|
|
POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.
It is reported that APOP passwords could be recovered by third parties.
In its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.
|
|
CVSS V2 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: Complete
- Integrity Impact: None
- Availability Impact: None
|
|
|
Claws Mail
- Claws Mail 2.9.0 and earlier
Fetchmail Project
- Fetchmail earlier than 6.3.8
mozilla.org contributors
- Mozilla SeaMonkey 1.0.8 and earlier
- Mozilla SeaMonkey 1.1.1 and earlier
- Mozilla Thunderbird 1.5.0.11 and earlier
- Mozilla Thunderbird 2.0.0.3 and earlier
mpop
Mutt
Sylpheed
- Sylpheed 2.3.1 and earlier
Turbolinux, Inc.
- Turbolinux 10_f
- Turbolinux Desktop 10
- Turbolinux FUJI
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux Server 10
- Turbolinux Server 10 (x64)
- Turbolinux Home
- wizpy
Hewlett-Packard Development Company, L.P
- HP-UX 11.11
- HP-UX 11.23
- HP-UX 11.31
MIRACLE LINUX CORPORATION
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
- Asianux Server 4.0
- Asianux Server 4.0 (x86-64)
Red Hat, Inc.
- RHEL Optional Productivity Applications 5 (server)
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux 2.1 (as)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 2.1 (es)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 2.1 (ws)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Enterprise Linux 4.8 (as)
- Red Hat Enterprise Linux 4.8 (es)
- Red Hat Enterprise Linux Desktop 3.0
- Red Hat Enterprise Linux Desktop 4.0
- Red Hat Enterprise Linux Desktop 5.0 (client)
- Red Hat Enterprise Linux EUS 5.3.z (server)
- Red Hat Linux Advanced Workstation 2.1
- RHEL Desktop Workstation 5 (client)
|
|
|
APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.
|
|
APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.
As this is a protocol issue, software fixes cannot solve the issue essentially. Encrypted communications such as POP over SSL are recommended. Moreover, users should use different passwords for different services or accounts to minimize the risk of their accounts to be compromised.
|
|
Claws Mail
Fetchmail Project
mozilla.org contributors
mpop
Mutt
Sylpheed
Turbolinux, Inc.
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
Red Hat, Inc.
|
|
- Permissions(CWE-264) [NVD Evaluation]
|
|
- CVE-2007-1558
|
|
- JVN : JVNTA07-151A (Japanese)
- JVN : JVN#19445002
- JVN Status Tracking Notes : TRTA07-151A (Japanese)
- National Vulnerability Database (NVD) : CVE-2007-1558
- US-CERT Cyber Security Alerts : SA07-151A
- US-CERT Technical Cyber Security Alert : TA07-151A
- SecurityFocus : 23257
- SecurityTracker : 1018008
- FrSIRT Advisories : FrSIRT/ADV-2007-1466
- FrSIRT Advisories : FrSIRT/ADV-2007-1480
- FrSIRT Advisories : FrSIRT/ADV-2007-1468
- FrSIRT Advisories : FrSIRT/ADV-2007-1467
- IETF : RFC1939:Post Office Protocol - Version 3
|
|
- [2008/05/21]
Web page published
[2009/08/06]
Affected Products : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
Affected Products : Added MIRACLE LINUX CORPORATION (1746).
Affected Products : Added Red Hat, Inc. (RHSA-2009:1140).
Vendor Information : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
Vendor Information : Added MIRACLE LINUX CORPORATION (1746).
Vendor Information : Added Red Hat, Inc. (RHSA-2009:1140).
|
