HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-02
Fetchmail multiple password information disclosure and denial of service vulnerabilities

Original issue date: January 09, 2007

Severity Rating: High

Systems Affected

  • Fetchmail 6.3.5
  • Fetchmail 6.3.6

Overview

Multiple vulnerabilities have been reported in Fetchmail which could be exploited by remote attackers to cause denial of service attack and execute arbitrary commands on the affected system.

Description

Fetchmail retrieve mail from remote POP2, POP3, IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or message delivery agents.

1. Fetchmail multiple password information disclosure vulnerabilities ( CVE-2006- 5867 )

Multiple vulnerabilities have been reported in Fetchmail which could be exploited by remote attackers to execute arbitrary commands and disclosure of password information. The attackers may exploit these vulnerabilities by using standard network utility and compromise vulnerable system.

2. Fetchmail multiple Denial of Service vulnerabilities ( CVE-2006-5974 )

A vulnerability has been reported in fetchmail due to a failure of application to handle exceptional conditions. It could be crashed when refusing a message bound for an MDA. A remote attacker could exploit this vulnerability to cause denial of service attacks on the affected system.

Workaround

• Use   fetchmail --ssl --sslcertck --sslproto ssl3   on the command line or equivalent in the run control file.  This encrypts the whole session on a dedicated port.
• Avoid the mda option and ship to a local SMTP or LMTP server .

Solution

Upgrade to Fetchmail 6.3.6 or a newer stable release
http://developer.berlios.de/project/showfiles.php?group_id=1824

References

Fetchmail
http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt
http://fetchmail.berlios.de/fetchmail-SA-2006-03.txt

Insecure.org
http://seclists.org/bugtraq/2007/Jan/0166.html
http://seclists.org/bugtraq/2007/Jan/0165.html

SecurityFocus
http://www.securityfocus.com/bid/21903/
http://www.securityfocus.com/bid/21902/

CVE Name
CVE-2006-5867
CVE-2006-5974

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003