Rule: -- Sid: 1993 -- Summary: This event is generated when a remote attacker sends a LOGIN command with a suspiciously long argument to an internal IMAP server, indicating an attempt to exploit a buffer overflow vulnerability in Carnegie Mellon University Cyrus IMAP Server. -- Impact: Possible remote execution of arbitrary code, leading to remote root compromise. -- Detailed Information: Carnegie Mellon University Cyrus IMAP Server 2.1.10 and earlier contains a buffer overflow vulnerability where a malformed, overly long argument to a LOGIN command sent to a vulnerable IMAP server can cause a buffer overflow condition. This can allow the attacker to overwrite data in memory, leading to the execution of arbitrary code on the server with the security privileges of the IMAP server process. -- Affected Systems: Any operating system running CMU Cyrus IMAP Server version 2.1.10 or earlier. -- Attack Scenarios: An attacker sends a LOGIN command with an overly long, specially crafted argument to a vulnerable IMAP server, causing a buffer overflow condition. The attacker can then overwrite specific words in memory to execute arbitrary code on the server with the security privileges of the IMAP server process. -- Ease of Attack: Simple. A proof of concept exists. -- False Positives: None known. -- False Negatives: None known. -- Corrective Action: Upgrade to a version of Cyrus IMAP Server higher than 2.1.10. -- Contributors: Original rule written by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Sourcefire Technical Publications Team Jennifer Harvey <jennifer.harvey@sourcefire.com> -- Additional References: --
