POP Mail Servers
Summary
POP2 and POP3 servers allow non-UNIX users to access their mail on a
machine without logging in.
Impact
Unauthorized users and/or malicious users exploiting this vulnerability may be able to
gain access to the target system.
Background
POP servers give PC and Macintosh users a way to receive mail
through another machine. When connecting to a POP server, the client
transmits the user's userid and password in clear text. Once the user
has been authenticated, the user then can access their mail.
The Problem
Each time the client reconnects to the POP server, the user's userid
and password are transmitted. Some client programs check the POP
server every few minutes to check for the arrival of new mail. These
frequent checks increase the possibility of the machine, username,
and password being discovered by a password sniffer "tuned" for POP mail
systems.
Resolution
The specification for POP3 servers (RFC 1725) describes an optional command
to help resolve this clear text password issue. When the initial connection
is made to a POP server, the server displays a timestamp in its banner. The
client uses this timestamp to create an MD5 hash string that is shared
between the server and client. The next time the client connects to the
server (e.g., to check for new mail) it will issue a command (APOP) and the
hash string. This method reduces the number of times that a user's userid
and password are transmitted in clear text.
An optional method (IMAP4), described in RFC 1734, provides another means
of authentication. The AUTH command allows the client to specify an
authentication mechanism to be used and a protocol exchange. This allows
the client to specify authentication methods it knows about and challenge
the server to see if it knows any of them as well. If no authentication
method can be agreed upon, then the APOP command is used (RFC 1725).
Also, you may install the latest Secure POP3 mail server
(with APOP/IMAP4) or disable POP mail if necessary.
Where can I read more about this?
Read CERT Advisory
97.09 for more information on vulnerabilities found in IMAP and POP. Also, visit Eudora's
Internet Messaging Primer for an
overview on POP and IMAP.