Mandrake Linux Security Advisory : fetchmail (MDKSA-2007:105)

This script is Copyright (C) 2007-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

The APOP functionality in fetchmail's POP3 client implementation was
validating the APOP challenge too lightly, accepting random garbage as
a POP3 server's APOP challenge, rather than insisting it conform to
RFC-822 specifications.

As a result of this flaw, it made man-in-the-middle attacks easier
than necessary to retrieve the first few characters of the APOP
secret, allowing them to potentially brute force the remaining
characters easier than should be possible.

Updated packages have been patched to prevent these issues, however it
should be noted that the APOP MD5-based authentication scheme should
no longer be considered secure.

See also :

http://www.fetchmail.info/fetchmail-SA-2007-01.txt

Solution :

Update the affected fetchmail, fetchmail-daemon and / or fetchmailconf
packages.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 25265 (mandrake_MDKSA-2007-105.nasl)

Bugtraq ID:

CVE ID: CVE-2007-1558

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now