Bug 850478 - (CVE-2012-3523) CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection
CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 850480
Blocks: 850485
  Show dependency treegraph
Reported: 2012-08-21 12:05 EDT by Jan Lieskovsky
Modified: 2014-02-02 17:20 EST (History)
4 users (show)

See Also:
Fixed In Version: inn 2.5.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-08-21 12:05:05 EDT
The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002

Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[3] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
Comment 1 Jan Lieskovsky 2012-08-21 12:06:16 EDT
This issue affects the version of the inn package, as shipped with Red Hat Enterprise Linux 5.
Comment 2 Jan Lieskovsky 2012-08-21 12:06:51 EDT
This issue affects the versions of the inn package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-08-21 12:07:38 EDT
Created inn tracking bugs for this issue

Affects: fedora-all [bug 850480]
Comment 4 Jan Lieskovsky 2012-08-21 12:14:25 EDT
CVE request:
Comment 5 Jan Lieskovsky 2012-08-22 06:10:19 EDT
CVE identifier of CVE-2012-3523 has been assigned to this issue:
Comment 6 Michael Schröder 2012-08-22 11:52:00 EDT
(Don't forget the nnrpd/sasl.c part of the patch)
Comment 7 Jan Lieskovsky 2012-08-22 12:25:52 EDT
(In reply to comment #6)
> (Don't forget the nnrpd/sasl.c part of the patch)

Thank you for the correction, Michael (I have truly overlooked it in quick view).
Comment 10 Stefan Cornelius 2012-08-29 08:56:53 EDT

Not vulnerable. This issue did not affect the versions of inn as shipped with Red Hat Enterprise Linux 5 as they did not include support for the STARTTLS command.

Note You need to log in before you can comment on or make changes to this bug.