oss-sec mailing list archives

Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 21 Aug 2012 17:59:40 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/21/2012 10:11 AM, Jan Lieskovsky wrote:

Hello Kurt, Steve, vendors,

the STARTTLS implementation in INN's NNTP server for readers, 
nnrpd, before 2.5.3 does not properly restrict I/O buffering, which
allows man-in-the-middle attackers to insert commands into
encrypted sessions by sending a cleartext command that is processed
after TLS is in place, related to a "plaintext command injection"
attack, a similar issue to CVE-2011-0411.

References: [1] https://www.isc.org/software/inn/2.5.3article [2]
https://bugs.gentoo.org/show_bug.cgi?id=432002 [3]
https://bugzilla.redhat.com/show_bug.cgi?id=850478

Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c
inn-2.5.3/nnrpd/misc.c' part): [4]
ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz

Could you allocate a CVE id for this?


Please use CVE-2012-3523 for this issue.

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team

P.S.: There doesn't seem to be one for this issue yet: 
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plaintext+command+injection

no inn CVEs since .. 2004, wow.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQNCDsAAoJEBYNRVNeJnmTutoQALqU+yEnN0EqATMMYI7u9Hc2
fNjscaKceMZ3SYt6rLX7nek8kw0aDRU+dp1Fok2Mce/O6fd03t+EjYmYH04exYNd
k3raTCyhHmZGr3b/KEapIXV2qvPxZBwoS9OU4zQCa8Kzge6E7lmwiWmb2nn7yBYK
ItahJJZ0kA1zFro5lXro1cYV6ekgYCe3b787aniR2m7vXj/XRSd3u28+NR1LglFH
YxRVJgRNr9Lvc0SRsNkSLlDWraiwUfpaEsMU5Y16m4BRCgdS6Fqh24vbMx9FE9Np
fug0KbUk82TZG55Uel5kWxM9Lyaqbh2eWnl+qO0IlcPbnNyIGe9EajtjN46PYx83
tD+pkaZxFreAM9dpDWkT7n4nnEIG61unGX6RAx0Gjfhm9HQqKD35T2I1gh4aGLFr
nNVtHPCagvA9J70txbjo7AfQNg/Q3CLgsnl3dtFGmXeT8Icvil3x4qvTiF5qAF8z
G1MOcdeabJZ1gFnmmNGIeJH6afs258QKriEMPF+Y0YvLA126BGSeWCJawfgg7g3k
yzgsQ0UHm9wtqxTn0ApjooSyr9qWmVS9C8zCH4+mdYF8QrABF18/hrZZOKKo/ez5
M6I9X9z6tr8QlglmzN2HqfUI1K6g2vlz+Rxc6icP5lCmNondkLr8m7cEONe6uDGI
KbNKhyb0CLYQCAYyuGS5
=ZKTD
-----END PGP SIGNATURE-----

Current thread:

CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Jan Lieskovsky (Aug 21)
- Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Kurt Seifried (Aug 21)