In association with heise online

17 March 2008, 10:13

Security hole in MDaemon closed in MDaemon 9.6.5

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the MDaemon mail server for Windows have released an updated version which closes a critical security hole. Attackers with valid login credentials could gain complete control of systems running the server.

The vulnerability was caused by inadequate length checks when processing FETCH requests to the IMAP service. This allowed attackers to cause a buffer overflow and execute arbitrary code. The milw0rm exploit archive already contains sample malware demonstrating how malicious code can be injected and executed at system privilege level.

MDaemon 9.6.4 and possibly earlier versions are affected. The vendor has now released version 9.6.5 which resolves the vulnerability. Administrators of MDaemon servers are advised to download and install the updated version as soon as possible.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-734557
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit