MDaemon Vulnerabilities

New (3.1.3)

Impact

A buffer overflow in MDaemon could allow a remote attacker to cause multiple network services to shut down.

Background

MDaemon is an e-mail server for Windows. It includes SMTP, POP, and IMAP services, a web-based e-mail client, and a web configuration service.

The Problem

There are two vulnerabilities in MDaemon which could lead to a denial of service. Sending a very long string to the IMAP service which is included in MDaemon could cause MDaemon to crash, thus denying service not only to IMAP but also POP and SMTP.

The second problem is a denial-of-service vulnerability affecting the web configuration service. An attacker could exploit the vulnerability by sending a request for a very long URL.

Resolution

Upgrade to MDaemon 3.5.1.0 or higher.

Where can I read more about this?

For more information, see Defcom Labs Advisory 2000-03.