imapsync default version check with information leakage

2014.01.17

Credit: Kurt

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-4279

CWE: CWE-200

Ogólna skala CVSS: 5/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Brak

Wpływ na dostępność: Brak

imapsync http://imapsync.lamiral.info/

Title: imapsync default version check with
http://imapsync.lamiral.info information leakage (CVE-2013-4279)

Threat: Availability: no timeout so an attacker simply sends a slow
response
Threat: Confidentiality: connects to http://imapsync.lamiral.info and
sends version # and operating system name and person version

Impact: Moderate (Medium)
CVSS2: 6.4/AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected: imapsync version 1.580 and earlier

Description: By default imapsync runs a "release check" when executed,
this causes imapsync to connect to http://imapsync.lamiral.info and
send information about the version of imapsync, the operating system
and perl.

This feature is not well documented. It is enabled by default. The
only hint it exists is the "--noreleasecheck" which is not documented
anywhere other then running the program with the help option.

Affected code:

sub imapsync_version_public {
    my $local_version = imapsync_version();
        my $imapsync_basename = imapsync_basename();
    my $agent_info = "$OSNAME system, perl "
                . sprintf("%vd", $PERL_VERSION)
        . ", Mail::IMAPClient $Mail::IMAPClient::VERSION"
        . " $imapsync_basename";
    my $sock = IO::Socket::INET->new(
        PeerAddr => 'imapsync.lamiral.info',
        PeerPort => '80',
                Proto => 'tcp'
        ) ;
        return( 'unknown' ) if not $sock ;
    print $sock
        "GET /prj/imapsync/VERSION HTTP/1.0\n",
        "User-Agent: imapsync/$local_version ($agent_info)\n",
        "Host: ks.lamiral.info\n\n";
    my @line = <$sock>;
    close($sock);
        my $last_release = $line[-1];
    chomp($last_release);
    return($last_release);
}

Suggested solution:

1) $releasecheck should be changed to default to 0 (False) and convert
- --noreleasecheck to --releasecheck
2) this feature should use HTTPS to prevent information leakage to
attackers
3) or disable this feature entirely

Workaround:

Make sure you also use --noreleasecheck when running imapsync (maybe
alias the full command?).

Timeline:

2013-Aug-22: notified upstream vendor at gilles.lamiral () laposte net
2014-Jan-16: public release (what can I say, I got busy).

External links:
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1000215

I can also handle notifying all the other vendors no problem via
distros@ list.

Referencje:

http://imapsync.lamiral.info

http://seclists.org/oss-sec/2014/q1/101

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

imapsync default version check with information leakage

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.