Several major Linux vendors have warned they are vulnerable to four flaws in a widely used IMAP e-mail server from Carnegie Mellon University's Cyrus Electronic Mail Project. The flaws could allow an attacker to take over a server.
Among the Linux vendors issuing patches for the Cyrus IMAP server are MandrakeSoft, Gentoo and Debian. IMAP (Internet Message Access Protocol) is one of the most popular standards for accessing e-mail, and the Cyrus software is designed for use by small to large enterprises.
Stefan Esser of e-matters notified the Cyrus IMAP team of the flaws early this month, and a patch was released last week, the security firm said. Public disclosure followed on Monday, and Linux vendors have released patches during the week. E-matters said it wouldn't publicly release technical details of the flaws in order to make exploitation more difficult.
Esser discovered the four bugs during an audit of the Cyrus component, called cyrus-imapd. The bugs comprise a standard stack overflow, out of bounds memory corruptions in two commands, and the use of a programming construct that is undefined according to the C standard, Esser said in an advisory. All four could be exploited to run malicious code on a server, although some take more skill to exploit than others, Esser said.
Danish security firm Secunia, which maintains a vulnerability database, gave the flaw its second most serious rating.