Vulnerability CVE-2007-1558
Published: 2007-04-16   Modified: 2012-02-12

Description:
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail before 6.3.8, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, (7) Mailfilter before 0.8.2, and possibly other products.

Type:

CWE-Other

CVSS2 => (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.6/10
2.9/10
4.9/10
Exploit range
Attack complexity
Authentication
Remote
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Apop protocol -> Apop protocol 

 References:
ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc
http://balsa.gnome.org/download.html
http://docs.info.apple.com/article.html?artnum=305530
http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00771742
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00774579
http://lists.apple.com/archives/security-announce/2007/May/msg00004.html
http://mail.gnome.org/archives/balsa-list/2007-July/msg00000.html
http://security.gentoo.org/glsa/glsa-200706-06.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.571857
http://sourceforge.net/forum/forum.php?forum_id=683706
http://sylpheed.sraoss.jp/en/news.html
http://www.claws-mail.org/news.php
http://www.debian.org/security/2007/dsa-1300
http://www.debian.org/security/2007/dsa-1305
http://www.mandriva.com/security/advisories?name=MDKSA-2007:105
http://www.mandriva.com/security/advisories?name=MDKSA-2007:107
http://www.mandriva.com/security/advisories?name=MDKSA-2007:113
http://www.mandriva.com/security/advisories?name=MDKSA-2007:119
http://www.mandriva.com/security/advisories?name=MDKSA-2007:131
http://www.mozilla.org/security/announce/2007/mfsa2007-15.html
http://www.novell.com/linux/security/advisories/2007_14_sr.html
http://www.novell.com/linux/security/advisories/2007_36_mozilla.html
http://www.openwall.com/lists/oss-security/2009/08/15/1
http://www.openwall.com/lists/oss-security/2009/08/18/1
http://www.redhat.com/support/errata/RHSA-2007-0344.html
http://www.redhat.com/support/errata/RHSA-2007-0353.html
http://www.redhat.com/support/errata/RHSA-2007-0385.html
http://www.redhat.com/support/errata/RHSA-2007-0386.html
http://www.redhat.com/support/errata/RHSA-2007-0401.html
http://www.redhat.com/support/errata/RHSA-2007-0402.html
http://www.redhat.com/support/errata/RHSA-2009-1140.html
http://www.securityfocus.com/archive/1/464477/30/0/threaded
http://www.securityfocus.com/archive/1/464569/100/0/threaded
http://www.securityfocus.com/archive/1/470172/100/200/threaded
http://www.securityfocus.com/archive/1/471455/100/0/threaded
http://www.securityfocus.com/archive/1/471720/100/0/threaded
http://www.securityfocus.com/archive/1/471842/100/0/threaded
http://www.securityfocus.com/bid/23257
http://www.securitytracker.com/id?1018008
http://www.ubuntu.com/usn/usn-469-1
http://www.ubuntu.com/usn/usn-520-1
http://www.us-cert.gov/cas/techalerts/TA07-151A.html
http://www.vupen.com/english/advisories/2007/1466
http://www.vupen.com/english/advisories/2007/1467
http://www.vupen.com/english/advisories/2007/1468
http://www.vupen.com/english/advisories/2007/1480
http://www.vupen.com/english/advisories/2007/1939
http://www.vupen.com/english/advisories/2007/1994
http://www.vupen.com/english/advisories/2007/2788
http://www.vupen.com/english/advisories/2008/0082
https://issues.rpath.com/browse/RPL-1231
https://issues.rpath.com/browse/RPL-1232
https://issues.rpath.com/browse/RPL-1424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9782
Copyright 2024, cxsecurity.com

 

Back to Top