The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
This issue affects the version of the inn package, as shipped with Red Hat Enterprise Linux 5.
This issue affects the versions of the inn package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Created inn tracking bugs for this issue
Affects: fedora-all [bug 850480]
CVE identifier of CVE-2012-3523 has been assigned to this issue:
(Don't forget the nnrpd/sasl.c part of the patch)
(In reply to comment #6)
> (Don't forget the nnrpd/sasl.c part of the patch)
Thank you for the correction, Michael (I have truly overlooked it in quick view).
Not vulnerable. This issue did not affect the versions of inn as shipped with Red Hat Enterprise Linux 5 as they did not include support for the STARTTLS command.