[Japanese]

JVNDB-2007-000295

APOP password recovery vulnerability

Overview

POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.

It is reported that APOP passwords could be recovered by third parties.

In its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Claws Mail
  • Claws Mail 2.9.0 and earlier
Fetchmail Project
  • Fetchmail earlier than 6.3.8
mozilla.org contributors
  • Mozilla SeaMonkey 1.0.8 and earlier
  • Mozilla SeaMonkey 1.1.1 and earlier
  • Mozilla Thunderbird 1.5.0.11 and earlier
  • Mozilla Thunderbird 2.0.0.3 and earlier
mpop
  • mpop 1.0.8 and earlier
Mutt
  • Mutt 1.4.2.2 and earlier
Sylpheed
  • Sylpheed 2.3.1 and earlier
Turbolinux, Inc.
  • Turbolinux 10_f
  • Turbolinux Desktop 10
  • Turbolinux FUJI
  • Turbolinux Multimedia
  • Turbolinux Personal
  • Turbolinux Server 10
  • Turbolinux Server 10 (x64)
  • Turbolinux Home
  • wizpy
Hewlett-Packard Development Company, L.P
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 3 (x86)
  • Asianux Server 3 (x86-64)
  • Asianux Server 4.0
  • Asianux Server 4.0 (x86-64)
Red Hat, Inc.
  • RHEL Optional Productivity Applications 5 (server)
  • Red Hat Enterprise Linux 5 (server)
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 4 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 4 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux 4 (ws)
  • Red Hat Enterprise Linux 4.8 (as)
  • Red Hat Enterprise Linux 4.8 (es)
  • Red Hat Enterprise Linux Desktop 3.0
  • Red Hat Enterprise Linux Desktop 4.0
  • Red Hat Enterprise Linux Desktop 5.0 (client)
  • Red Hat Enterprise Linux EUS 5.3.z (server)
  • Red Hat Linux Advanced Workstation 2.1
  • RHEL Desktop Workstation 5 (client)

Impact

APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.
Solution

APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.

As this is a protocol issue, software fixes cannot solve the issue essentially. Encrypted communications such as POP over SSL are recommended. Moreover, users should use different passwords for different services or accounts to minimize the risk of their accounts to be compromised.
Vendor Information

Claws Mail Fetchmail Project mozilla.org contributors mpop Mutt Sylpheed Turbolinux, Inc. Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-1558
References

  1. JVN : JVNTA07-151A (Japanese)
  2. JVN : JVN#19445002
  3. JVN Status Tracking Notes : TRTA07-151A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2007-1558
  5. US-CERT Cyber Security Alerts : SA07-151A
  6. US-CERT Technical Cyber Security Alert : TA07-151A
  7. SecurityFocus : 23257
  8. SecurityTracker : 1018008
  9. FrSIRT Advisories : FrSIRT/ADV-2007-1466
  10. FrSIRT Advisories : FrSIRT/ADV-2007-1480
  11. FrSIRT Advisories : FrSIRT/ADV-2007-1468
  12. FrSIRT Advisories : FrSIRT/ADV-2007-1467
  13. IETF : RFC1939:Post Office Protocol - Version 3
Revision History

  • [2008/05/21]
      Web page published
    [2009/08/06]
      Affected Products : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
      Affected Products : Added MIRACLE LINUX CORPORATION (1746).  
      Affected Products : Added Red Hat, Inc. (RHSA-2009:1140).
      Vendor Information : Added MIRACLE LINUX CORPORATION (ruby-1.8.5-5.7.1AXS3).
      Vendor Information : Added MIRACLE LINUX CORPORATION (1746).
      Vendor Information : Added Red Hat, Inc. (RHSA-2009:1140).