nginx 1.7.3 SMTP STARTTLS plaintext injection flaw

2014.12.30
Credit: Vasyl
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-3556
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Upstream [1] reports: ... A bug in nginx SMTP proxy was found, which allows an attacker in a privileged network position to inject commands into SSL sessions started with the STARTTLS command, potentially making it possible to steal sensitive information sent by clients (CVE-2014-3556). The problem affects nginx 1.5.6 - 1.7.3. The problem is fixed in nginx 1.7.4, 1.6.1. Patch for the problem can be found here: http://nginx.org/download/patch.2014.starttls.txt [1]: http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html --- src/mail/ngx_mail_smtp_handler.c +++ src/mail/ngx_mail_smtp_handler.c @@ -777,6 +777,9 @@ ngx_mail_smtp_starttls(ngx_mail_session_ ngx_str_null(&s->smtp_from); ngx_str_null(&s->smtp_to); + s->buffer->pos = s->buffer->start; + s->buffer->last = s->buffer->start; + c->read->handler = ngx_mail_starttls_handler; return NGX_OK; }

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1126891
http://nginx.org/download/patch.2014.starttls.txt
http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top