Multiple vulnerabilities in Mutt



Published: 2018-07-20
Risk Medium
Patch available YES
Number of vulnerabilities 5
CVE-ID N/A
CWE-ID CWE-119
CWE-22
CWE-193
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Mutt
Client/Desktop applications / Office applications

Vendor Mutt.org

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Buffer overflow

EUVDB-ID: #VU13921

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in mutt_from_base64() function in imap/auth_cram.c and imap/auth_gss.c when processing responses from IMAP server. A remote attacker that controls the IMAP server can send an overly long response to the vulnerable mail client, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that victim connects to a compromised server or the attacker is able to perform MitM (man-in-the-middle) attack.

Mitigation

Update to version 1.10.1.

Vulnerable software versions

Mutt: 0.95.6 - 1.10.0

External links

http://gitlab.com/muttmua/mutt/commit/ed9d7727dc705754871e31cb41420f0ea956495b


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU13922

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in imap/command.c file when verifying IMAP mailbox status. A remote attacker that controls the IMAP server can send an overly long response to the vulnerable mail client, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that victim connects to a compromised server or the attacker is able to perform MitM (man-in-the-middle) attack.

Mitigation

Update to version 1.10.1.

Vulnerable software versions

Mutt: 0.95.6 - 1.10.0

External links

http://gitlab.com/muttmua/mutt/commit/ed9d7727dc705754871e31cb41420f0ea956495b


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Buffer overflow

EUVDB-ID: #VU13923

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in msg_parse_fetch() function in imap/message.c file. A remote attacker that controls the IMAP server can send an overly long response to the vulnerable mail client, trigger buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that victim connects to a compromised server or the attacker is able to perform MitM (man-in-the-middle) attack.

Mitigation

Update to version 1.10.1.

Vulnerable software versions

Mutt: 0.95.6 - 1.10.0

External links

http://gitlab.com/muttmua/mutt/commit/ed9d7727dc705754871e31cb41420f0ea956495b


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Directory traversal

EUVDB-ID: #VU13924

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper sanitization of UID values in pop.c within bcache implementation. A remote attacker that controls the POP3 server can traverse directories on the client's system.


Mitigation

Update to version 1.10.1.

Vulnerable software versions

Mutt: 0.95.6 - 1.10.0

External links

http://gitlab.com/muttmua/mutt/commit/ed9d7727dc705754871e31cb41420f0ea956495b


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Off by one error

EUVDB-ID: #VU13925

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-193 - Off-by-one Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an off-by-one error in cmd_parse_lsub() function in imap/command.c file. A remote attacker that controls the IMAP server can send a specially crafted  response to the vulnerable mail client, trigger off-by-one overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that victim connects to a compromised server or the attacker is able to perform MitM (man-in-the-middle) attack.

Mitigation

Update to version 1.10.1.

Vulnerable software versions

Mutt: 0.95.6 - 1.10.0

External links

http://gitlab.com/muttmua/mutt/commit/ed9d7727dc705754871e31cb41420f0ea956495b


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###