1 -----BEGIN PGP SIGNED MESSAGE-----
4 fetchmail-SA-2012-02: DoS/data theft possible in NTLM authentication
6 Topics: fetchmail denial of service/data theft in NTLM protocol phase
8 Author: Matthias Andree
11 Type: reading from bad memory locations
12 Impact: fetchmail segfaults and aborts, stalling inbound mail,
13 or: fetchmail conveys data from bad locations, possibly
14 betraying confidential data
16 Acknowledgment: J. Porter Clark
18 CVE Name: CVE-2012-3482
19 URL: http://www.fetchmail.info/fetchmail-SA-2012-02.txt
20 Project URL: http://www.fetchmail.info/
22 Affects: - fetchmail releases 5.0.8 up to and including 6.3.21
23 when compiled with NTLM support enabled
25 Not affected: - fetchmail releases compiled with NTLM support disabled
26 - fetchmail releases 6.3.22 and newer
28 Corrected in: 2012-08-13 Git, among others, see commit
29 3fbc7cd331602c76f882d1b507cd05c1d824ba8b
31 2012-08-xx fetchmail 6.3.22 release tarball
38 2012-08-14 0.2 added CVE ID
39 2012-08-14 0.3 mention data theft
45 fetchmail is a software package to retrieve mail from remote POP3, IMAP,
46 ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
47 message delivery agents. fetchmail supports SSL and TLS security layers
48 through the OpenSSL library, if enabled at compile time and if also
49 enabled at run time, in both SSL/TLS-wrapped mode on dedicated ports as
50 well as in-band-negotiated "STARTTLS" and "STLS" modes through the
51 regular protocol ports.
54 2. Problem description and Impact
55 =================================
57 Fetchmail version 5.0.8 added NTLM support. This code sent the NTLM
58 authentication request, but never checked if the received response was
59 an NTLM challenge, or a server-side error message. Instead, fetchmail
60 tried to decode the error message as though it were base64-encoded
61 protocol exchange, and could then segfault, subject to verbosity and
62 other circumstances, while reading data from bad memory locations.
64 Also, when the "Target Name" structure in the NTLM Type 2 message (the
65 challenge) was carefully crafted, fetchmail might read from the wrong
66 memory location, and send confidential data to the server that it should
67 not have. It is deemed hard, although not impossible, to steal
73 Install fetchmail 6.3.22 or newer.
75 The fetchmail source code is always available from
76 <http://developer.berlios.de/project/showfiles.php?group_id=1824>.
78 Distributors are encouraged to review the NEWS file and move forward to
79 6.3.22, rather than backport individual security fixes, because doing so
80 routinely misses other fixes crucial to fetchmail's proper operation,
81 for which no security announcements are issued, or documentation.
83 Fetchmail 6.3.X releases have always been made with a focus on unchanged
84 user and program interfaces so as to avoid disruptions when upgrading
85 from 6.3.X to 6.3.Y with Y > X. Care was taken to not change the
86 interface incompatibly.
89 A. Copyright, License and Non-Warranty
90 ======================================
92 (C) Copyright 2012 by Matthias Andree, <matthias.andree@gmx.de>.
95 This work is licensed under the
96 Creative Commons Attribution-NoDerivs 3.0 Germany License (CC BY-ND 3.0).
98 To view a copy of this license, visit
99 http://creativecommons.org/licenses/by-nd/3.0/de/deed.en
105 MOUNTAIN VIEW, CALIFORNIA 94041
109 THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
110 Use the information herein at your own risk.
112 END of fetchmail-SA-2012-02
113 -----BEGIN PGP SIGNATURE-----
114 Version: GnuPG v1.4.11 (GNU/Linux)
116 iEYEARECAAYFAlAqnJ0ACgkQvmGDOQUufZURKQCgtarBW3fr0uR/ANpNma7QiAd0
117 dFMAoPMNVYwTitZG/gkvwhr7QBGB59pj
119 -----END PGP SIGNATURE-----