IMail Server contains a flaw that may allow a remote denial of service. The issue is due to the IMAP daemon (IMAPD32.EXE) service while parsing malformed LSUB commands. By passing an overly long string of NULL characters to the 'LSUB' command, a remote attacker can cause the daemon to go into an infinite loop and consume all available CPU resources resulting in a loss of availability for the IMAP service.

Upgrade to version 8.2 Hotfix 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1014047
• Secunia Advisory ID: 15483
• Related OSVDB ID: 16804 16805 16806 16807
• CVE ID: 2005-1249 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0273.html
• Other Advisory URL: http://www.idefense.com/application/poi/display?id=245&type=vulnerabilities
• Vendor URL: http://www.ipswitch.com/products/IMail_Server/index.html
• Vendor Specific Advisory URL: http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html

• Anonymous - iDefense Labs VCP