oss-sec mailing list archives

CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 21 Aug 2012 12:11:09 -0400 (EDT)

Hello Kurt, Steve, vendors,

  the STARTTLS implementation in INN's NNTP server for readers,
nnrpd, before 2.5.3 does not properly restrict I/O buffering,
which allows man-in-the-middle attackers to insert commands
into encrypted sessions by sending a cleartext command that
is processed after TLS is in place, related to a "plaintext
command injection" attack, a similar issue to CVE-2011-0411.

References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
[3] https://bugzilla.redhat.com/show_bug.cgi?id=850478

Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: There doesn't seem to be one for this issue yet:
      http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plaintext+command+injection

Current thread:

CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Jan Lieskovsky (Aug 21)
- Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Kurt Seifried (Aug 21)