1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication
Topics: fetchmail denial of service/data theft in NTLM protocol phase
Author: Matthias Andree
Version: draft
Announced: 2012-08-13
Type: reading from bad memory locations
Impact: fetchmail segfaults and aborts, stalling inbound mail,
or: fetchmail conveys data from bad locations, possibly
betraying confidential data
Danger: low
Acknowledgment: J. Porter Clark
CVE Name: CVE-2012-3482
URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
Project URL: http://www.fetchmail.info/
Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
when compiled with NTLM support enabled
Not affected: - fetchmail releases compiled with NTLM support disabled
- fetchmail releases 6.3.22 and newer
Corrected in: 2012-08-13 Git, among others, see commit
3fbc7cd331602c76f882d1b507cd05c1d824ba8b
2012-08-xx fetchmail 6.3.22 release tarball
0. Release history
==================
2012-08-13 0.1 draft
2012-08-14 0.2 added CVE ID
2012-08-14 0.3 mention data theft
1. Background
=============
fetchmail is a software package to retrieve mail from remote POP3, IMAP,
ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. fetchmail supports SSL and TLS security layers
through the OpenSSL library, if enabled at compile time and if also
enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
well as in-band-negotiated "STARTTLS" and "STLS" modes through the
regular protocol ports.
2. Problem description and Impact
=================================
Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
authentication request, but never checked if the received response was
an NTLM challenge, or a server-side error message. Instead, fetchmail
tried to decode the error message as though it were base64-encoded
protocol exchange, and could then segfault, subject to verbosity and
other circumstances, while reading data from bad memory locations.
Also, when the "Target Name" structure in the NTLM Type 2 message (the
challenge) was carefully crafted, fetchmail might read from the wrong
memory location, and send confidential data to the server that it should
not have. It is deemed hard, although not impossible, to steal
other accounts' data.
3. Solution
===========
Install fetchmail 6.3.22 or newer.
The fetchmail source code is always available from
<http://developer.berlios.de/project/showfiles.php?group_id=1824>.
Distributors are encouraged to review the NEWS file and move forward to
6.3.22, rather than backport individual security fixes, because doing so
routinely misses other fixes crucial to fetchmail's proper operation,
for which no security announcements are issued, or documentation.
Fetchmail 6.3.X releases have always been made with a focus on unchanged
user and program interfaces so as to avoid disruptions when upgrading
from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
interface incompatibly.
A. Copyright, License and Non-Warranty
======================================
(C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
Some rights reserved.
This work is licensed under the
Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
To view a copy of this license, visit
http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
or send a letter to:
Creative Commons
444 Castro Street
Suite 900
MOUNTAIN VIEW, CALIFORNIA 94041
USA
THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.
END of fetchmail-SA-2012-02
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlAqnJ0ACgkQvmGDOQUufZURKQCgtarBW3fr0uR/ANpNma7QiAd0
dFMAoPMNVYwTitZG/gkvwhr7QBGB59pj
=HBRo
-----END PGP SIGNATURE-----
|