This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 917839 - (CVE-2013-1762) CVE-2013-1762 Stunnel: buffer overflow vulnerability due to incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation
CVE-2013-1762 Stunnel: buffer overflow vulnerability due to incorrect integer...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130303,repor...
: Security
Depends On: 917869 917870
Blocks: 917842
  Show dependency treegraph
 
Reported: 2013-03-04 16:59 EST by Kurt Seifried
Modified: 2015-11-24 10:29 EST (History)
6 users (show)

See Also:
Fixed In Version: stunnel-4.55
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-08 15:05:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-03-04 16:59:51 EST
Michal Trojnara reports:

A buffer overflow vulnerability due to incorrect integer conversion in the NTLM authentication of the CONNECT protocol negotiation
Exploitability

The vulnerability is exploitable under the following conditions:
-Stunnel versions 4.21 until 4.54.
-Stunnel compiled as a 64-bit executable. Any 32-bit builds, including pre-compiled Win32 binaries, are not vulnerable.
-Service configured in SSL client mode ("client = yes").
-CONNECT protocol negotiation enabled ("protocol = connect").
-NTLM authentication enabled ("protocolAuthentication = NTLM").
-The attacker able either to control the proxy server specified as a parameter of the "connect" option, or to perform MITM attacks on TCP sessions between stunnel and the proxy server.

Impact

The vulnerability may be exploited for arbitrary code execution. The code is executed within the configured chroot directory, with privileges of the configured user and group.

Recommendation

Upgrade to stunnel 4.55, or disable the NTLM authentication.

Credits

Vulnerability discovery: Mateusz Kocielski, LogicalTrust

External urls:
https://www.stunnel.org/CVE-2013-1762.html
Comment 6 Jan Lieskovsky 2013-03-22 09:00:02 EDT
(In reply to comment #0)
>
> Recommendation
> 
> Upgrade to stunnel 4.55, or disable the NTLM authentication.
> 

This issue does NOT affect the versions of the stunnel package, as shipped with Fedora release of 17 and 18 - the stunnel-4.55-1.fc17 and stunnel-4.55-1.fc18 versions (which contain the fix for this issue) has been pushed to particular Fedora release -testing repository already:

  https://admin.fedoraproject.org/updates/stunnel-4.55-1.fc17
  https://admin.fedoraproject.org/updates/stunnel-4.55-1.fc18
Comment 14 Vincent Danen 2013-04-08 13:12:06 EDT
External Reference:

https://www.stunnel.org/CVE-2013-1762.html
Comment 15 errata-xmlrpc 2013-04-08 13:49:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0714 https://rhn.redhat.com/errata/RHSA-2013-0714.html
Comment 16 Vincent Danen 2013-04-08 15:05:07 EDT
Statement:

This issue did not affect the version of the stunnel package as shipped with Red Hat Enterprise Linux 5.

Note You need to log in before you can comment on or make changes to this bug.