MailEnable webmail component denial of service

mailenable-webmail-component-dos (25315) The risk level is classified as LowLow Risk

Description:

MailEnable Standard Edition is vulnerable to a denial of service attack caused by a vulnerability in the webmail component. A remote attacker could exploit this vulnerability to cause 100% CPU utilization, resulting in a denial of service.

Platforms Affected:

  • MailEnable, MailEnable Enterprise Edition prior to 1.21
  • MailEnable, MailEnable Professional Edition prior to 1.73
  • MailEnable, MailEnable Standard Edition prior to 1.93
  • Microsoft, Windows 2000 Professional
  • Microsoft, Windows 2000 Advanced Server
  • Microsoft, Windows 2003 Server Web
  • Microsoft, Windows 2003 Server Enterprise
  • Microsoft, Windows 2003 Server Standard
  • Microsoft, Windows NT 4.0 Server

Remedy:

For MailEnable Standard Edition:
Upgrade to the latest version of MailEnable Standard Edition (1.93 or later), available from the MailEnable Web site. See References.

For MailEnable Professional Edition:
Upgrade to the latest version of MailEnable Professional Edition (1.73 or later), available from the MailEnable Web site. See References.

For MailEnable Enterprise Edition:
Upgrade to the latest version of MailEnable Enterprise Edition (1.21 or later), available from the MailEnable Web site. See References.

Consequences:

Denial of Service

References:

  • MailEnable Web site, MailEnable - Enterprise Edition Revision History at http://www.mailenable.com/enterprisehistory.asp.
  • BID-17161: MailEnable Enterprise/Professional Editions Webmail Denial of Service Vulnerability
  • CVE-2006-1338: Webmail in MailEnable Professional Edition before 1.73 and Enterprise Edition before 1.21 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors involving incorrectly encoded quoted-printable emails.
  • CVE-2006-1792: Unspecified vulnerability in the POP service in MailEnable Standard Edition before 1.94, Professional Edition before 1.74, and Enterprise Edition before 1.22 has unknown attack vectors and impact related to authentication exploits. NOTE: this is a different set of affected versions, and probably a different vulnerability than CVE-2006-1337.
  • CVE-2006-6997: Unspecified vulnerability in a cryptographic feature in MailEnable Standard Edition before 1.93, Professional Edition before 1.73, and Enterprise Edition before 1.21 leads to weakened authentication security with unknown impact and attack vectors. NOTE: due to lack of details, it is not clear whether this is the same as CVE-2006-1792.
  • OSVDB ID: 24014: MailEnable WebMail Malformed Encoded Quoted-printable Mail DoS
  • SA19288: MailEnable Webmail and POP3 Buffer Overflow Vulnerabilities
  • VUPEN/ADV-2006-1006: MailEnable POP Authentication and Webmail Component Vulnerabilities

Reported:

Mar 20, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page