FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

fetchmail -- insecure APOP authentication

Affected packages
fetchmail < 6.3.8

Details

VuXML ID f1c4d133-e6d3-11db-99ea-0060084a00e5
Discovery 2007-04-06
Entry 2007-04-09

Matthias Andree reports:

The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP" which no longer should be considered secure.

Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepted random garbage as a POP3 server's APOP challenge. This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well within reach.

References

CVE Name CVE-2007-1558
URL http://www.fetchmail.info/fetchmail-SA-2007-01.txt