ID CVE-2005-0546
Summary Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
References
Vulnerable Configurations
  • cpe:2.3:a:cyrus:imapd:2.0.17
    cpe:2.3:a:cyrus:imapd:2.0.17
  • cpe:2.3:a:cyrus:imapd:2.1.16
    cpe:2.3:a:cyrus:imapd:2.1.16
  • cpe:2.3:a:cyrus:imapd:2.1.17
    cpe:2.3:a:cyrus:imapd:2.1.17
  • cpe:2.3:a:cyrus:imapd:2.1.18
    cpe:2.3:a:cyrus:imapd:2.1.18
  • cpe:2.3:a:cyrus:imapd:2.2.10
    cpe:2.3:a:cyrus:imapd:2.2.10
CVSS
Base: 7.5 (as of 08-06-2005 - 10:22)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gain a shell remotely
    NASL id CYRUS_IMAP_MULTIPLE_VULNERABILITIES.NASL
    description According to its banner, the remote Cyrus IMAP server is affected by off-by-one errors in its imapd annotate extension and its cached header handling which can be triggered by an authenticated user, a buffer overflow in fetchnews that can be triggered by a peer news admin, and an unspecified stack-based buffer overflow in imapd.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 17208
    published 2005-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17208
    title Cyrus IMAP Server < 2.2.11 Multiple Remote Overflows
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-051.NASL
    description Several overruns have been fixed in the IMAP annote extension as well as in cached header handling which can be run by an authenticated user. As well, additional bounds checking in fetchnews was improved to avoid exploitation by a peer news admin.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 17280
    published 2005-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17280
    title Mandrake Linux Security Advisory : cyrus-imapd (MDKSA-2005:051)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B2D248AD88F611D9AA180001020EED82.NASL
    description The Cyrus IMAP Server ChangeLog states : - Fix possible single byte overflow in mailbox handling code. - Fix possible single byte overflows in the imapd annotate extension. - Fix stack-based buffer overflows in fetchnews (exploitable by peer news server), backend (exploitable by admin), and in imapd (exploitable by users though only on platforms where a filename may be larger than a mailbox name). The 2.1.X series are reportedly only affected by the second issue. These issues may lead to execution of arbitrary code with the permissions of the user running the Cyrus IMAP Server.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 19086
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19086
    title FreeBSD : cyrus-imapd -- multiple buffer overflow vulnerabilities (b2d248ad-88f6-11d9-aa18-0001020eed82)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-408.NASL
    description Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21935
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21935
    title CentOS 4 : cyrus-imapd (CESA-2005:408)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-339.NASL
    description Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. In addition this version of the rpm contains a collection of other fixes since the last FC3 update (see below changelog). >>>>>>>>>>>> IMPORTANT NOTE FOR X86_64 INSTALLATION <<<<<<<<<<<< This rpm also fixes bug #156121 that incorrectly placed some executables /usr/lib64/cyrus-imapd. /usr/lib64 is reserved for 64 bit libraries and this caused problems for existing scripts that expected to find them in a canonical location (/usr/lib/cyrus-imapd) and violated the multilib packaging guidelines. Only references external to the cyrus-imapd package are affected by this, the rpm is self consistent. The most notable example is /usr/lib64/cyrus-impad/deliver which is now /usr/lib/cyrus-imapd/deliver (use of lmtp is encouraged in preference to deliver). This change only affects x86_64 installations. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 62256
    published 2012-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62256
    title Fedora Core 3 : cyrus-imapd-2.2.12-1.1.fc3 (2005-339)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-87-1.NASL
    description Sean Larsson discovered a buffer overflow in the IMAP 'annotate' extension. This possibly allowed an authenticated IMAP client to execute arbitrary code with the privileges of the Cyrus IMAP server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20712
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20712
    title Ubuntu 4.10 : cyrus21-imapd vulnerability (USN-87-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-408.NASL
    description Updated cyrus-imapd packages that fix several buffer overflow security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The cyrus-imapd package contains the core of the Cyrus IMAP server. Several buffer overflow bugs were found in cyrus-imapd. It is possible that an authenticated malicious user could cause the imap server to crash. Additionally, a peer news admin could potentially execute arbitrary code on the imap server when news is received using the fetchnews command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0546 to this issue. Users of cyrus-imapd are advised to upgrade to these updated packages, which contain cyrus-imapd version 2.2.12 to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18280
    published 2005-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18280
    title RHEL 4 : cyrus-imapd (RHSA-2005:408)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200502-29.NASL
    description The remote host is affected by the vulnerability described in GLSA-200502-29 (Cyrus IMAP Server: Multiple overflow vulnerabilities) Possible single byte overflows have been found in the imapd annotate extension and mailbox handling code. Furthermore stack-based buffer overflows have been found in fetchnews, the backend and imapd. Impact : An attacker, who could be an authenticated user or an admin of a peering news server, could exploit these vulnerabilities to execute arbitrary code with the rights of the user running the Cyrus IMAP Server. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 17206
    published 2005-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17206
    title GLSA-200502-29 : Cyrus IMAP Server: Multiple overflow vulnerabilities
oval via4
accepted 2013-04-29T04:07:38.898-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
family unix
id oval:org.mitre.oval:def:10674
status accepted
submitted 2010-07-09T03:56:16-04:00
title Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.
version 24
redhat via4
advisories
rhsa
id RHSA-2005:408
refmap via4
bid 12636
bugtraq 20050228 [USN-87-1] Cyrus IMAP server vulnerability
conectiva CLA-2005:937
confirm http://bugs.gentoo.org/show_bug.cgi?id=82404
fedora FLSA:156290
gentoo GLSA-200502-29
mandrake MDKSA-2005:051
mlist [info-cyrus] 20050214 Cyrus IMAPd 2.2.11 Released
sectrack 1013278
secunia 14383
Last major update 17-10-2016 - 23:12
Published 02-05-2005 - 00:00
Last modified 19-10-2018 - 11:31
Back to Top