Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0273 STARTTLS plaintext command injection vulnerability 9 March 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: STARTTLS Publisher: US-CERT Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-0411 Original Bulletin: http://www.kb.cert.org/vuls/id/555316 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#555316 STARTTLS plaintext command injection vulnerability Overview Some STARTTLS implementations could allow a remote attacker to inject commands during the plaintext phase of the protocol. I. Description STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Some implementations of STARTTLS contain a vulnerability that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase, that will be executed during the ciphertext protocol phase. This vulnerability is caused by the switch from plaintext to TLS being implemented below the application's I/O buffering layer. This issue is only of practical concern for affected implementations that also perform correct certificate validation. Implementations which do not perform certificate validation are already inherently vulnerable to man-in-the-middle attacks. Note: Not all implementations of STARTTLS are affected by this vulnerability. Please see the Vendor Information below for specific vendor information. II. Impact A remote attacker with the ability to pose as a man-in-the-middle may be able to inject commands for the corresponding protocol (e.g., SMTP, POP3, etc.) during the plaintext protocol phase, that will then be executed during the ciphertext protocol phase. III. Solution Update Please see the Vendor Information below for specific vendor information and patches. Purge the application I/O buffer Developers of STARTTLS-enabled applications should take care to purge the application's I/O buffer immediately after switching to TLS in order to mitigate this vulnerability. Vendor Information Vendor Status Date Notified Date Updated 3com Inc Unknown 2011-01-19 2011-01-19 ACCESS Unknown 2011-01-19 2011-01-19 Alcatel-Lucent Unknown 2011-01-19 2011-01-19 America Online Inc. Unknown 2011-01-19 2011-01-19 Apache HTTP Server Project Unknown 2011-01-19 2011-01-19 AT&T Unknown 2011-01-19 2011-01-19 Avaya, Inc. Unknown 2011-01-19 2011-01-19 Barracuda Networks Unknown 2011-01-19 2011-01-19 Belkin, Inc. Unknown 2011-01-19 2011-01-19 Blue Coat Systems Unknown 2011-01-19 2011-01-19 Borderware Technologies Unknown 2011-01-19 2011-01-19 Check Point Software Technologies Unknown 2011-01-19 2011-01-19 Cisco Systems, Inc. Unknown 2011-01-19 2011-01-19 Clavister Unknown 2011-01-19 2011-01-19 Computer Associates Unknown 2011-01-19 2011-01-19 Courier-mta Unknown 2011-01-27 2011-01-27 Cray Inc. Unknown 2011-01-19 2011-01-19 EMC Corporation Unknown 2011-01-19 2011-01-19 Engarde Secure Linux Unknown 2011-01-19 2011-01-19 Enterasys Networks Unknown 2011-01-19 2011-01-19 Ericsson Unknown 2011-01-19 2011-01-19 eSoft, Inc. Unknown 2011-01-19 2011-01-19 Extreme Networks Unknown 2011-01-19 2011-01-19 F5 Networks, Inc. Unknown 2011-01-19 2011-01-19 Force10 Networks, Inc. Unknown 2011-01-19 2011-01-19 Fortinet, Inc. Unknown 2011-01-19 2011-01-19 Foundry Networks, Inc. Unknown 2011-01-19 2011-01-19 Fujitsu Unknown 2011-01-19 2011-01-19 Global Technology Associates, Inc. Unknown 2011-01-19 2011-01-19 Google Unknown 2011-01-19 2011-01-19 Hewlett-Packard Company Unknown 2011-01-19 2011-01-19 Hitachi Unknown 2011-01-19 2011-01-19 IBM Corporation Unknown 2011-01-19 2011-01-19 IBM Corporation (zseries) Unknown 2011-01-19 2011-01-19 IBM eServer Unknown 2011-01-19 2011-01-19 Infoblox Unknown 2011-01-19 2011-01-19 Intel Corporation Unknown 2011-01-19 2011-01-19 Internet Security Systems, Inc. Unknown 2011-01-19 2011-01-19 Intoto Unknown 2011-01-19 2011-01-19 IP Infusion, Inc. Unknown 2011-01-19 2011-01-19 Ipswitch, Inc Affected 2011-01-21 2011-03-01 Juniper Networks, Inc. Unknown 2011-01-19 2011-01-19 Kerio Technologies Affected 2011-01-19 2011-03-01 M86 Security Unknown 2011-01-19 2011-01-19 McAfee Unknown 2011-01-19 2011-01-19 MontaVista Software, Inc. Unknown 2011-01-19 2011-01-19 NEC Corporation Unknown 2011-01-19 2011-01-19 NetApp Unknown 2011-01-19 2011-01-19 Nokia Unknown 2011-01-19 2011-01-19 Nortel Networks, Inc. Unknown 2011-01-19 2011-01-19 Novell, Inc. Not Affected 2011-01-19 2011-03-03 Oracle Corporation Unknown 2011-01-19 2011-01-19 Palo Alto Networks Not Affected 2011-01-19 2011-03-01 Postfix Affected 2011-03-03 Process Software Unknown 2011-01-19 2011-01-19 Q1 Labs Unknown 2011-01-19 2011-01-19 Qmail-TLS Affected 2011-01-19 2011-03-07 QNX Software Systems Inc. Unknown 2011-01-19 2011-01-19 RadWare, Inc. Unknown 2011-01-19 2011-01-19 Red Hat, Inc. Unknown 2011-01-19 2011-01-19 Redback Networks, Inc. Unknown 2011-01-19 2011-01-19 SafeNet Unknown 2011-01-19 2011-01-19 Secureworx, Inc. Unknown 2011-01-19 2011-01-19 Silicon Graphics, Inc. Unknown 2011-01-19 2011-01-19 Sony Corporation Unknown 2011-01-19 2011-01-19 Stonesoft Unknown 2011-01-19 2011-01-19 Sun Microsystems, Inc. Affected 2011-01-19 2011-03-01 Symantec Unknown 2011-01-19 2011-01-19 The SCO Group Affected 2011-01-19 2011-03-01 Unisys Unknown 2011-01-19 2011-01-19 Vyatta Unknown 2011-01-19 2011-01-19 Watchguard Technologies, Inc. Unknown 2011-01-19 2011-01-19 Wind River Systems, Inc. Unknown 2011-01-19 2011-01-19 ZyXEL Unknown 2011-01-19 2011-01-19 References http://tools.ietf.org/html/rfc2595 http://tools.ietf.org/html/rfc3207 http://tools.ietf.org/html/rfc4642 Credit Thanks to Wietse Venema for reporting this vulnerability. This document was written by Michael Orlando. Other Information Date Public: 2011-03-07 Date First Published: 2011-03-07 Date Last Updated: 2011-03-07 CERT Advisory: CVE-ID(s): CVE-2011-0411 NVD-ID(s): CVE-2011-0411 US-CERT Technical Alerts: Severity Metric: 1.39 Document Revision: 31 If you have feedback, comments, or additional information about this vulnerability, please send us email. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNdvh3/iFOrG6YcBERAnStAJ927e5COW23yJEPv/hrkNUEWsTIagCgyTOj mUQ9pfVUXfQoL1XMh4UQvD4= =IeG1 -----END PGP SIGNATURE-----