FreeBSD : fetchmail -- insecure APOP authentication (f1c4d133-e6d3-11db-99ea-0060084a00e5)
Low Nessus Plugin ID 25018
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionMatthias Andree reports :
The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called 'APOP' which no longer should be considered secure.
Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepted random garbage as a POP3 server's APOP challenge. This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well within reach.
SolutionUpdate the affected package.