hMailServer IMAP Command Remote Denial of Service Vulnerability

Bugtraq ID:	30663
Class:	Design Error
CVE:	CVE-2008-3676
Remote:	Yes
Local:	No
Published:	Aug 12 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	João Antunes
Vulnerable:	hMailServer hMailServer 4.4.1
Not Vulnerable:	hMailServer hMailServer 4.4.2 (Build 279)

hMailServer IMAP Command Remote Denial of Service Vulnerability

hMailServer is prone to a remote denial-of-service vulnerability caused by large numbers of certain IMAP commands.

Exploiting this issue will cause the server to crash and deny access to legitimate users.

hMailServer 4.4.1 is vulnerable; other versions may also be affected.

hMailServer IMAP Command Remote Denial of Service Vulnerability

The following example commands are available:


A01 CREATE AAAAA
A02 CREATE AAAAAA
A03 CREATE AAAAAAA
...
A97 RENAME AAAAA BBBBB
A98 RENAME AAAAAA BBBBBB
A100 RENAME AAAAAAA BBBBBBB

hMailServer IMAP Command Remote Denial of Service Vulnerability

Solution:
The vendor has addressed this issue in hMailServer 4.4.2 (build 279). Please see the references for more information.


hMailServer hMailServer 4.4.1

• hMailServer hMailServer 4.4.2 (Build 279)
  http://www.hmailserver.com/?page=download_mirrors&downloadid=144

hMailServer IMAP Command Remote Denial of Service Vulnerability

References:

• hMailServer Homepage (hMailServer)
  
• [AJECT] hMailServer 4.4.1 DoS vulnerability (João Antunes)