Operating System:

[WIN][UNIX/Linux]

Published:

09 March 2011

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2011.0273 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0273
            STARTTLS plaintext command injection vulnerability
                               9 March 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           STARTTLS
Publisher:         US-CERT
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote/Unauthenticated
                   Unauthorised Access            -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-0411  

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/555316

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#555316
STARTTLS plaintext command injection vulnerability

Overview

Some STARTTLS implementations could allow a remote attacker to inject commands 
during the plaintext phase of the protocol.

I. Description

STARTTLS is an extension to plaintext communication protocols that offers a 
way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection 
instead of using a separate port for encrypted communication. Some 
implementations of STARTTLS contain a vulnerability that could allow a remote 
unauthenticated attacker to inject commands during the plaintext protocol 
phase, that will be executed during the ciphertext protocol phase. This 
vulnerability is caused by the switch from plaintext to TLS being implemented 
below the application's I/O buffering layer.

This issue is only of practical concern for affected implementations that also 
perform correct certificate validation. Implementations which do not perform 
certificate validation are already inherently vulnerable to man-in-the-middle
attacks.

Note: Not all implementations of STARTTLS are affected by this vulnerability. 
Please see the Vendor Information below for specific vendor information.

II. Impact

A remote attacker with the ability to pose as a man-in-the-middle may be able 
to inject commands for the corresponding protocol (e.g., SMTP, POP3, etc.) 
during the plaintext protocol phase, that will then be executed during the 
ciphertext protocol phase.

III. Solution

Update

Please see the Vendor Information below for specific vendor information and 
patches.
Purge the application I/O buffer

Developers of STARTTLS-enabled applications should take care to purge the 
application's I/O buffer immediately after switching to TLS in order to 
mitigate this vulnerability.

Vendor Information
Vendor					Status		Date Notified	Date Updated
3com Inc				Unknown		2011-01-19	2011-01-19
ACCESS					Unknown		2011-01-19	2011-01-19
Alcatel-Lucent				Unknown		2011-01-19	2011-01-19
America Online Inc.			Unknown		2011-01-19	2011-01-19
Apache HTTP Server Project		Unknown		2011-01-19	2011-01-19
AT&T					Unknown		2011-01-19	2011-01-19
Avaya, Inc.				Unknown		2011-01-19	2011-01-19
Barracuda Networks			Unknown		2011-01-19	2011-01-19
Belkin, Inc.				Unknown		2011-01-19	2011-01-19
Blue Coat Systems			Unknown		2011-01-19	2011-01-19
Borderware Technologies			Unknown		2011-01-19	2011-01-19
Check Point Software Technologies	Unknown		2011-01-19	2011-01-19
Cisco Systems, Inc.			Unknown		2011-01-19	2011-01-19
Clavister				Unknown		2011-01-19	2011-01-19
Computer Associates			Unknown		2011-01-19	2011-01-19
Courier-mta				Unknown		2011-01-27	2011-01-27
Cray Inc.				Unknown		2011-01-19	2011-01-19
EMC Corporation				Unknown		2011-01-19	2011-01-19
Engarde Secure Linux			Unknown		2011-01-19	2011-01-19
Enterasys Networks			Unknown		2011-01-19	2011-01-19
Ericsson				Unknown		2011-01-19	2011-01-19
eSoft, Inc.				Unknown		2011-01-19	2011-01-19
Extreme Networks			Unknown		2011-01-19	2011-01-19
F5 Networks, Inc.			Unknown		2011-01-19	2011-01-19
Force10 Networks, Inc.			Unknown		2011-01-19	2011-01-19
Fortinet, Inc.				Unknown		2011-01-19	2011-01-19
Foundry Networks, Inc.			Unknown		2011-01-19	2011-01-19
Fujitsu					Unknown		2011-01-19	2011-01-19
Global Technology Associates, Inc.	Unknown		2011-01-19	2011-01-19
Google					Unknown		2011-01-19	2011-01-19
Hewlett-Packard Company			Unknown		2011-01-19	2011-01-19
Hitachi					Unknown		2011-01-19	2011-01-19
IBM Corporation				Unknown		2011-01-19	2011-01-19
IBM Corporation (zseries)		Unknown		2011-01-19	2011-01-19
IBM eServer				Unknown		2011-01-19	2011-01-19
Infoblox				Unknown		2011-01-19	2011-01-19
Intel Corporation			Unknown		2011-01-19	2011-01-19
Internet Security Systems, Inc.		Unknown		2011-01-19	2011-01-19
Intoto					Unknown		2011-01-19	2011-01-19
IP Infusion, Inc.			Unknown		2011-01-19	2011-01-19
Ipswitch, Inc				Affected	2011-01-21	2011-03-01
Juniper Networks, Inc.			Unknown		2011-01-19	2011-01-19
Kerio Technologies			Affected	2011-01-19	2011-03-01
M86 Security				Unknown		2011-01-19	2011-01-19
McAfee					Unknown		2011-01-19	2011-01-19
MontaVista Software, Inc.		Unknown		2011-01-19	2011-01-19
NEC Corporation				Unknown		2011-01-19	2011-01-19
NetApp					Unknown		2011-01-19	2011-01-19
Nokia					Unknown		2011-01-19	2011-01-19
Nortel Networks, Inc.			Unknown		2011-01-19	2011-01-19
Novell, Inc.				Not Affected	2011-01-19	2011-03-03
Oracle Corporation			Unknown		2011-01-19	2011-01-19
Palo Alto Networks			Not Affected	2011-01-19	2011-03-01
Postfix					Affected	2011-03-03
Process Software			Unknown		2011-01-19	2011-01-19
Q1 Labs					Unknown		2011-01-19	2011-01-19
Qmail-TLS				Affected	2011-01-19	2011-03-07
QNX Software Systems Inc.		Unknown		2011-01-19	2011-01-19
RadWare, Inc.				Unknown		2011-01-19	2011-01-19
Red Hat, Inc.				Unknown		2011-01-19	2011-01-19
Redback Networks, Inc.			Unknown		2011-01-19	2011-01-19
SafeNet					Unknown		2011-01-19	2011-01-19
Secureworx, Inc.			Unknown		2011-01-19	2011-01-19
Silicon Graphics, Inc.			Unknown		2011-01-19	2011-01-19
Sony Corporation			Unknown		2011-01-19	2011-01-19
Stonesoft				Unknown		2011-01-19	2011-01-19
Sun Microsystems, Inc.			Affected	2011-01-19	2011-03-01
Symantec				Unknown		2011-01-19	2011-01-19
The SCO Group				Affected	2011-01-19	2011-03-01
Unisys					Unknown		2011-01-19	2011-01-19
Vyatta					Unknown		2011-01-19	2011-01-19
Watchguard Technologies, Inc.		Unknown		2011-01-19	2011-01-19
Wind River Systems, Inc.		Unknown		2011-01-19	2011-01-19
ZyXEL					Unknown		2011-01-19	2011-01-19
References

http://tools.ietf.org/html/rfc2595
http://tools.ietf.org/html/rfc3207
http://tools.ietf.org/html/rfc4642
Credit

Thanks to Wietse Venema for reporting this vulnerability.

This document was written by Michael Orlando.
Other Information
Date Public:		2011-03-07
Date First Published:	2011-03-07
Date Last Updated:	2011-03-07
CERT Advisory:	 
CVE-ID(s):		CVE-2011-0411
NVD-ID(s):		CVE-2011-0411
US-CERT Technical Alerts:	 
Severity Metric:	1.39
Document Revision:	31

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNdvh3/iFOrG6YcBERAnStAJ927e5COW23yJEPv/hrkNUEWsTIagCgyTOj
mUQ9pfVUXfQoL1XMh4UQvD4=
=IeG1
-----END PGP SIGNATURE-----