Bug 917839 (CVE-2013-1762)
| Summary: | CVE-2013-1762 Stunnel: buffer overflow vulnerability due to incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amarecek, avagarwa, eparis, jlieskov, jrieden, sforsber |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | stunnel-4.55 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-04-08 19:05:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 917869, 917870 | ||
| Bug Blocks: | 917842 | ||
(In reply to comment #0) > > Recommendation > > Upgrade to stunnel 4.55, or disable the NTLM authentication. > This issue does NOT affect the versions of the stunnel package, as shipped with Fedora release of 17 and 18 - the stunnel-4.55-1.fc17 and stunnel-4.55-1.fc18 versions (which contain the fix for this issue) has been pushed to particular Fedora release -testing repository already: https://admin.fedoraproject.org/updates/stunnel-4.55-1.fc17 https://admin.fedoraproject.org/updates/stunnel-4.55-1.fc18 External Reference: https://www.stunnel.org/CVE-2013-1762.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0714 https://rhn.redhat.com/errata/RHSA-2013-0714.html Statement: This issue did not affect the version of the stunnel package as shipped with Red Hat Enterprise Linux 5. |
Michal Trojnara reports: A buffer overflow vulnerability due to incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation Exploitability The vulnerability is exploitable under the following conditions: -Stunnel versions 4.21 until 4.54. -Stunnel compiled as a 64-bit executable. Any 32-bit builds, including pre-compiled Win32 binaries, are not vulnerable. -Service configured in SSL client mode ("client = yes"). -CONNECT protocol negotiation enabled ("protocol = connect"). -NTLM authentication enabled ("protocolAuthentication = NTLM"). -The attacker able either to control the proxy server specified as a parameter of the "connect" option, or to perform MITM attacks on TCP sessions between stunnel and the proxy server. Impact The vulnerability may be exploited for arbitrary code execution. The code is executed within the configured chroot directory, with privileges of the configured user and group. Recommendation Upgrade to stunnel 4.55, or disable the NTLM authentication. Credits Vulnerability discovery: Mateusz Kocielski, LogicalTrust External urls: https://www.stunnel.org/CVE-2013-1762.html