oss-sec mailing list archives
Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 21 Aug 2012 17:59:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/21/2012 10:11 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, the STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. References: [1] https://www.isc.org/software/inn/2.5.3article [2] https://bugs.gentoo.org/show_bug.cgi?id=432002 [3] https://bugzilla.redhat.com/show_bug.cgi?id=850478 Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part): [4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz Could you allocate a CVE id for this?
Please use CVE-2012-3523 for this issue.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: There doesn't seem to be one for this issue yet: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=plaintext+command+injection
no inn CVEs since .. 2004, wow. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQNCDsAAoJEBYNRVNeJnmTutoQALqU+yEnN0EqATMMYI7u9Hc2 fNjscaKceMZ3SYt6rLX7nek8kw0aDRU+dp1Fok2Mce/O6fd03t+EjYmYH04exYNd k3raTCyhHmZGr3b/KEapIXV2qvPxZBwoS9OU4zQCa8Kzge6E7lmwiWmb2nn7yBYK ItahJJZ0kA1zFro5lXro1cYV6ekgYCe3b787aniR2m7vXj/XRSd3u28+NR1LglFH YxRVJgRNr9Lvc0SRsNkSLlDWraiwUfpaEsMU5Y16m4BRCgdS6Fqh24vbMx9FE9Np fug0KbUk82TZG55Uel5kWxM9Lyaqbh2eWnl+qO0IlcPbnNyIGe9EajtjN46PYx83 tD+pkaZxFreAM9dpDWkT7n4nnEIG61unGX6RAx0Gjfhm9HQqKD35T2I1gh4aGLFr nNVtHPCagvA9J70txbjo7AfQNg/Q3CLgsnl3dtFGmXeT8Icvil3x4qvTiF5qAF8z G1MOcdeabJZ1gFnmmNGIeJH6afs258QKriEMPF+Y0YvLA126BGSeWCJawfgg7g3k yzgsQ0UHm9wtqxTn0ApjooSyr9qWmVS9C8zCH4+mdYF8QrABF18/hrZZOKKo/ez5 M6I9X9z6tr8QlglmzN2HqfUI1K6g2vlz+Rxc6icP5lCmNondkLr8m7cEONe6uDGI KbNKhyb0CLYQCAYyuGS5 =ZKTD -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Jan Lieskovsky (Aug 21)
- Re: CVE Request -- inn (nnrpd): Prone to STARTTLS plaintext command injection Kurt Seifried (Aug 21)