JVN#19445002
APOP password recovery vulnerability
Overview
POP3 is a protocol for receiving email from mail servers. APOP is an authentication mechanism used by the POP3 protocol.
It is reported that APOP passwords could be recovered by third parties.
In its successful attack, the attacker spoofs itself as the mail server, provides challenge strings to the client, and collects the responses from the client. The attacker should repeat this process for a certain period of time without alerting the user of the attack.
Products Affected
- Mail clients with an APOP implementation
Description
Impact
APOP passwords may be compromised. When the same password is used for other systems, those systems could be compromised as well.
Solution
Vendor Status
References
- IETF
RFC1939:Post Office Protocol - Version 3 - FSE2007 rump session
Practical Password Recovery on an MD5 Challenge-Response such as APOP (pdf) - FSE2007 rump session
Extended APOP Password Recovery Attack (pdf)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.04.19
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | High - large amount of expertise and/or luck required (BIOS expertise, guessing correctly in a large space) |
|
Credit
Yu Sasaki, Lei Wang, Kazuo Ohta, and Noboru Kunihiro of The University of Electro-Communication reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2007-1558 |
| JVN iPedia |
JVNDB-2007-000295 |