CVE-2007-1558

LOW

Description

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

References

ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc

http://balsa.gnome.org/download.html

http://docs.info.apple.com/article.html?artnum=305530

http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579

http://lists.apple.com/archives/security-announce/2007/May/msg00004.html

http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html

http://secunia.com/advisories/25353

http://secunia.com/advisories/25402

http://secunia.com/advisories/25476

http://secunia.com/advisories/25496

http://secunia.com/advisories/25529

http://secunia.com/advisories/25534

http://secunia.com/advisories/25546

http://secunia.com/advisories/25559

http://secunia.com/advisories/25664

http://secunia.com/advisories/25750

http://secunia.com/advisories/25798

http://secunia.com/advisories/25858

http://secunia.com/advisories/25894

http://secunia.com/advisories/26083

http://secunia.com/advisories/26415

http://secunia.com/advisories/35699

http://security.gentoo.org/glsa/glsa-200706-06.xml

http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857

http://sourceforge.net/forum/forum.php?forum_id=683706

http://sylpheed.sraoss.jp/en/news.html

http://www.claws-mail.org/news.php

http://www.debian.org/security/2007/dsa-1300

http://www.debian.org/security/2007/dsa-1305

http://www.mandriva.com/security/advisories?name=MDKSA-2007:105

http://www.mandriva.com/security/advisories?name=MDKSA-2007:107

http://www.mandriva.com/security/advisories?name=MDKSA-2007:113

http://www.mandriva.com/security/advisories?name=MDKSA-2007:119

http://www.mandriva.com/security/advisories?name=MDKSA-2007:131

http://www.mozilla.org/security/announce/2007/mfsa2007-15.html

http://www.novell.com/linux/security/advisories/2007_14_sr.html

http://www.novell.com/linux/security/advisories/2007_36_mozilla.html

http://www.openwall.com/lists/oss-security/2009/08/15/1

http://www.openwall.com/lists/oss-security/2009/08/18/1

http://www.redhat.com/support/errata/RHSA-2007-0344.html

http://www.redhat.com/support/errata/RHSA-2007-0353.html

http://www.redhat.com/support/errata/RHSA-2007-0385.html

http://www.redhat.com/support/errata/RHSA-2007-0386.html

http://www.redhat.com/support/errata/RHSA-2007-0401.html

http://www.redhat.com/support/errata/RHSA-2007-0402.html

http://www.redhat.com/support/errata/RHSA-2009-1140.html

http://www.securityfocus.com/archive/1/464477/30/0/threaded

http://www.securityfocus.com/archive/1/464569/100/0/threaded

http://www.securityfocus.com/archive/1/470172/100/200/threaded

http://www.securityfocus.com/archive/1/471455/100/0/threaded

http://www.securityfocus.com/archive/1/471720/100/0/threaded

http://www.securityfocus.com/archive/1/471842/100/0/threaded

http://www.securityfocus.com/bid/23257

http://www.securitytracker.com/id?1018008

http://www.trustix.org/errata/2007/0019/

http://www.trustix.org/errata/2007/0024/

http://www.ubuntu.com/usn/usn-469-1

http://www.ubuntu.com/usn/usn-520-1

http://www.us-cert.gov/cas/techalerts/TA07-151A.html

http://www.vupen.com/english/advisories/2007/1466

http://www.vupen.com/english/advisories/2007/1467

http://www.vupen.com/english/advisories/2007/1468

http://www.vupen.com/english/advisories/2007/1480

http://www.vupen.com/english/advisories/2007/1939

http://www.vupen.com/english/advisories/2007/1994

http://www.vupen.com/english/advisories/2007/2788

http://www.vupen.com/english/advisories/2008/0082

https://issues.rpath.com/browse/RPL-1231

https://issues.rpath.com/browse/RPL-1232

https://issues.rpath.com/browse/RPL-1424

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782

Details

Source: MITRE

Published: 2007-04-16

Updated: 2018-10-16

Risk Information

CVSS v2.0

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW