fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.

From Red Hat Security Advisory 2007:0018 :

Updated fetchmail packages that fix two security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility.

A denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.

A flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the 'sslproto' configuration directive is set to 'tls1'.

Users of Fetchmail should update to these packages, which contain backported patches to correct these issues.

Note: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the 'sslproto' directive is set to 'tls1'. If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update.

Three security issues have been fixed in fetchmail :

  - fetchmail when configured for multidrop mode, allows     remote attackers to cause a denial of service     (application crash) by sending messages without headers     from upstream mail servers. (CVE-2005-4348)

  - fetchmail did not properly enforce TLS and may transmit     cleartext passwords over unsecured links if certain     circumstances occur, which allows remote attackers to     obtain sensitive information via man-in-the-middle     (MITM) attacks. (CVE-2006-5867)

  - fetchmail when refusing a message delivered via the mda     option, allowed remote attackers to cause a denial of     service (crash) via unknown vectors that trigger a NULL     pointer dereference when calling the ferror or fflush     functions. (CVE-2006-5974)

Three security issues have been fixed in fetchmail :

CVE-2005-4348: fetchmail when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.

CVE-2006-5867: fetchmail did not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive information via man-in-the-middle (MITM) attacks.

CVE-2006-5974: fetchmail when refusing a message delivered via the mda option, allowed remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference when calling the ferror or fflush functions.

Updated fetchmail packages that fix two security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Fetchmail is a remote mail retrieval and forwarding utility.

A denial of service flaw was found when Fetchmail was run in multidrop mode. A malicious mail server could send a message without headers which would cause Fetchmail to crash (CVE-2005-4348). This issue did not affect the version of Fetchmail shipped with Red Hat Enterprise Linux 2.1 or 3.

A flaw was found in the way Fetchmail used TLS encryption to connect to remote hosts. Fetchmail provided no way to enforce the use of TLS encryption and would not authenticate POP3 protocol connections properly (CVE-2006-5867). This update corrects this issue by enforcing TLS encryption when the 'sslproto' configuration directive is set to 'tls1'.

Users of Fetchmail should update to these packages, which contain backported patches to correct these issues.

Note: This update may break configurations which assumed that Fetchmail would use plain-text authentication if TLS encryption is not supported by the POP3 server even if the 'sslproto' directive is set to 'tls1'. If you are using a custom configuration that depended on this behavior you will need to modify your configuration appropriately after installing this update.

Daniel Drake discovered a problem in fetchmail, an SSL enabled POP3, APOP, IMAP mail gatherer/forwarder, that can cause a crash when the program is running in multidrop mode and receives messages without headers.

The old stable distribution (woody) does not seem to be affected by this problem.

The remote host is running Apple Mac OS X, but lacks Security Update 2006-004.

This security update contains fixes for the following applications :

AFP Server Bluetooth Bom DHCP dyld fetchmail gnuzip ImageIO LaunchServices OpenSSH telnet WebKit

The fetchmail team reports :

Fetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as 'previously fetched', it will crash with the same message if it is re-executed, so it cannot make progress. A malicious or broken-into upstream server could thus cause a denial of service in fetchmail clients.

New fetchmail packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues.

Steve Fosdick discovered a remote Denial of Service vulnerability in fetchmail. When using fetchmail in 'multidrop' mode, a malicious email server could cause a crash by sending an email without any headers.
Since fetchmail is commonly called automatically (with cron, for example), this crash could go unnoticed.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a DoS (application crash) by sending messages without headers from upstream mail servers.

The updated packages have been patched to correct this problem.

ID	Name	Product	Family	Severity
67440	Oracle Linux 3 / 4 : fetchmail (ELSA-2007-0018)	Nessus	Oracle Linux Local Security Checks	high
29425	SuSE 10 Security Update : fetchmail (ZYPP Patch Number 2608)	Nessus	SuSE Local Security Checks	high
27213	openSUSE 10 Security Update : fetchmail (fetchmail-2602)	Nessus	SuSE Local Security Checks	high
24316	RHEL 2.1 / 3 / 4 : fetchmail (RHSA-2007:0018)	Nessus	Red Hat Local Security Checks	high
24286	CentOS 3 / 4 : fetchmail (CESA-2007:0018)	Nessus	CentOS Local Security Checks	high
22805	Debian DSA-939-1 : fetchmail - programming error	Nessus	Debian Local Security Checks	high
22125	Mac OS X Multiple Vulnerabilities (Security Update 2006-004)	Nessus	MacOS X Local Security Checks	critical
21541	FreeBSD : fetchmail -- NULL pointer dereference in multidrop mode with headerless email (f7eb0b23-7099-11da-a15c-0060084a00e5)	Nessus	FreeBSD Local Security Checks	high
20912	Slackware 10.0 / 10.1 / 10.2 / 8.1 / 9.0 / 9.1 / current : fetchmail (SSA:2006-045-01)	Nessus	Slackware Local Security Checks	high
20777	Ubuntu 4.10 / 5.04 / 5.10 : fetchmail vulnerability (USN-233-1)	Nessus	Ubuntu Local Security Checks	high
20467	Mandrake Linux Security Advisory : fetchmail (MDKSA-2005:236)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2005-4348

high

Tenable Plugins

high

high

high

high

high

high

critical

high

high

high

high