SonicWALL Security Center

Sonicwall Signatures

All Categories

Category: IMAP

IMAP Category Description
This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on IMAP servers. IMAP or Internet Message Access Protocol is a standard protocol for accessing mail on a remote server from a local client. It allows users to use a mail client to manipulate messages while they are still on the server in contrast to the POP protocol which requires users to download messages to their local client before manipulating them. IMAP server accept and send a set of standardized commands to serve e-mail messages to clients. Unfortunately, attackers have found a number of ways to manipulate these commands to exploit vulnerabilities in many versions of IMAP server software, causing the software to malfunction. These attacks can crash the server, provide attackers access to sensitive information, or allow them to completely take control of the server.
Attackers attack IMAP servers using buffer overflow attacks. These attacks involve a hacker sending a command with an overly long argument to an IMAP server, causing the server to mishandle the request, and possibly execute code of the attacker's choice. For example, if an authenticated user sends a LIST command with an overly long argument to the server, several versions of IMAP server software will mishandle the command and potentially allow attackers gain control over the server. Once in control, attackers can corrupt mailboxes, steal information, or use the server for their own ends. Even if such an attack fails to grant attackers control of a server, it will most likely crash the machine, shutting down e-mail access to all users on the server.
Because most of the attacks on IMAP server that have a relatively high probability of success require attackers to be authenticated by the system first, these attacks do not represent a serious threat. SonicWALL IMAP signatures are classified as low-priority, and are by default set to detect and altert administrators of suspicious IMAP activity.

	IMAP Request with Malformed AUTHENTICATE Command
	IMAP Request with Malformed LIST Command 1
	IMAP Request with Malformed FIND Command
	IMAP Request with Malformed CREATE Command
	IMAP Malformed Request 1
	IMAP Request with Malformed DELETE Command
	IMAP Request with Malformed LIST Command 2
	IMAP Request with Malformed SELECT Command 2
	IMAP Request with Malformed LOGIN Command 2
	IMAP Request with Malformed EXAMINE Command
	IMAP Request with Malformed SELECT Command 3
	Microsoft Outlook MONIKERLINK Security Feature Bypass
	Microsoft Outlook MONIKERLINK Security Feature Bypass 2
	Microsoft Outlook Email Invite Information Disclosure
	MailEnable IMAPD LOGIN Command Buffer Overflow
	IMAP Request with Malformed SELECT Command 1
	IMAP Request with Malformed LOGIN Command 1
	IMAP Request with Malformed STATUS Command
	IMAP Request with Malformed SEARCH Command
	Perdition IMAP Proxy str_vwrite Format String Attack
	HCL Domino Mailbox Name Buffer Overflow
	Dovecot Quoted String Remote Code Execution 1
	Dovecot Quoted String Remote Code Execution 2
	IMAP Toolkit imap_open Remote Code Execution
	Microsoft Outlook MONIKERLINK Security Feature Bypass 3
	Microsoft Outlook MONIKERLINK Security Feature Bypass 4

Relevant Information

© SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0