January 2007

ID: 00054
Ref: 51/2007
Date: 29 January 2007:14:33:25
Version: 1

---

Title: IBM SECURITY ADVISORY: AIX 5.3 : Security advisories (2007.01.26) Authentication vulnerability in pop3d, pop3ds, imapd and imapds.
Abstract: An authentication vulnerability has been discovered in pop3d, pop3ds, imapd and imapds. The vulnerability allows a user to authenticate under circumstances when authentication should fail. It is possible for a remote attacker to exploit this vulnerability. Attackers will be able to use these services as though they successfully authenticated. These daemons ship as part of the bos.net.tcp.server fileset.
Vendors affected: IBM
Operating systems affected: IBM
Applications affected: IBM

---

Title
=====

IBM SECURITY ADVISORY: AIX 5.3 : Security advisories (2007.01.26) Authentication vulnerability in pop3d, pop3ds, imapd and imapds.

Detail
======

An authentication vulnerability has been discovered in pop3d, pop3ds, imapd and imapds. The vulnerability allows a user to authenticate under circumstances when authentication should fail. It is possible for a remote attacker to exploit this vulnerability. Attackers will be able to use these services as though they successfully authenticated. These daemons ship as part of the bos.net.tcp.server fileset.



AIX 5.3 : Security advisories (2007.01.26)

Authentication vulnerability in pop3d, pop3ds, imapd and imapds.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY


First Issued: Fri Jan 26 10:10:13 CST 2007 ==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: Authentication vulnerability in pop3d, pop3ds, imapd
and imapds.

PLATFORMS: AIX 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: Remote users can authenticate to pop3d, pop3ds, imapd
and imapds when authentication should be denied.

CERT VU Number: n/a
CVE Number: n/a
==========================================================================
DETAILED INFORMATION


I. Description
===============

An authentication vulnerability has been discovered in pop3d, pop3ds, imapd and imapds. The vulnerability allows a user to authenticate under circumstances when authentication should fail. It is possible for a remote attacker to exploit this vulnerability. Attackers will be able to use these services as though they successfully authenticated. These daemons ship as part of the bos.net.tcp.server fileset.

The following table shows the versions of bos.net.tcp.server which are affected by this vulnerability:

AIX Release Lower Upper
Level Level
===========================================
AIX 5.2 n/a n/a
AIX 5.3 5.3.0.30 5.3.0.52


II. Impact
==========
A remote user can authenticate to pop3d, pop3ds, imapd and imapds when authentication should be denied.

III. Solutions
===============

A. APARs

IBM provides the following fixes:

APAR number for AIX 5.3.0: IY93084 (available approx. 03/07/07)

NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level.

B. Interim Fix

Interim fixes are available. The interim fixes can be downloaded via ftp
from:

ftp://aix.software.ibm.com/aix/efixes/security/pop3d_ifix.tar.Z

This is a compressed tarball containing this advisory, interim fix packages and cleartext PGP signatures for each package.


Verify you have retrieved the fixes intact:
+------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands and are as follows:

Filename sum md5
=========================================================================
IY93084_03.070111.epkg.Z 30827 2193 f2eaab199ede9f1558f2cdbcb5bf1c4e
IY93084_04.070111.epkg.Z 55091 2198 d9bdd94a06a6644b1e409130e0545237
IY93084_05.070123.epkg.Z 61360 2201 cb24548b7ba7cb80d6c5142de62db092

See the table below to determine which AIX Technology Level a given interim fix maps to.

These sums should match exactly. The PGP signatures in the compressed tarball and on this advisory can also be used to verify the integrity of the various files they correspond to. If the sums or signatures cannot be confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy.

The interim fixes include prerequisite checking. This will ensure the correct mapping between the interim fixes and AIX Technology Levels. The following table shows the prerequisite fileset levels required for the fixes above. The levels show are for bos.net.tcp.server.

Interim Fileset Level Fileset Level AIX
Fix (lower level) (upper level) Level
=====================================================================
IY93084_03.070111.epkg.Z 5.3.0.30 5.3.0.30 5300-03
IY93084_04.070111.epkg.Z 5.3.0.40 5.3.0.40 5300-04
IY93084_05.070123.epkg.Z 5.3.0.50 5.3.0.52 5300-05

IMPORTANT: If possible, it is recommended that a mksysb backup of the system is created. Verify it is both bootable, and readable before proceeding.

Customers may contact IBM support if any issues arise with these interim fixes.

Interim Installation Instructions:
+---------------------------------
These packages use the new Interim Fix Management Solution to install and manage interim fixes. More information can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an epkg interim fix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.

To install an epkg interim fix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

Disable the daemons if they are not being used.

IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x1B14F299.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFuiggofN/JhsU8pkRAmzoAJ9gAUd2YA6WOiwOYyYEV7/3DI81ogCeL0uv
pvHJaw8c7SIDlk20bXz98M4=
=mPpn
- -----END PGP SIGNATURE-----


- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
http://www-912.ibm.com/eserver/support/fixes/

Update your Subscription Service profile
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=2

Unsubscribe from Subscription Service
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=3

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml