IMail vulnerabilities

New (3.1.3)

Impact

A remote attacker could cause IMail to stop responding, thus shutting down e-mail service.

Background

IMail is an e-mail package which runs on Windows systems. It provides SMTP, IMAP, and POP services.

The Problem

It is possible to crash the IMail server by supplying a password between 80 and 136 characters in length with the SMTP AUTH command. The server will respond to a string greater than 136 characters long with an error message, but that does not cause the server to crash.

IMail 6.05 and possibly earlier versions are affected by this vulnerability unless the patch for IMail 6.05 has been applied.

Resolution

Apply the SMTPd32, POP3d32, and IMAP4d32 patch for IMail 6.05.

Where can I read more about this?

This vulnerability was posted to Bugtraq.