oss-sec mailing list archives
CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 21 Aug 2012 12:11:09 -0400 (EDT)
Hello Kurt, Steve, vendors, the STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. References: [1] https://www.isc.org/software/inn/2.5.3article [2] https://bugs.gentoo.org/show_bug.cgi?id=432002 [3] https://bugzilla.redhat.com/show_bug.cgi?id=850478 Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part): [4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: There doesn't seem to be one for this issue yet: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plaintext+command+injection
Current thread:
- CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Jan Lieskovsky (Aug 21)
- Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Kurt Seifried (Aug 21)