Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Jan 2012 22:27:51 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Agostino Sarubbo <ago@...too.org>
Subject: Re: CVE Request for spamdyke "STARTTLS" Plaintext

On 01/15/2012 07:48 AM, Agostino Sarubbo wrote:
> In reference of: http://www.openwall.com/lists/oss-security/2012/01/07/1 :
>
> According to secunia security advisory ( https://secunia.com/advisories/47435
>  ) :
>
> Description:
> A vulnerability has been reported in spamdyke, which can be exploited by 
> malicious people to manipulate certain data.
>
> The vulnerability is caused due to the TLS implementation not properly 
> clearing transport layer buffers when upgrading from plaintext to ciphertext 
> after receiving the "STARTTLS" command. This can be exploited to insert 
> arbitrary plaintext data (e.g. SMTP commands) during the plaintext phase, 
> which will then be executed after upgrading to the TLS ciphertext phase.
>
> The vulnerability is reported in versions prior to 4.2.1.
>
>
> Solution:
> Update to version 4.2.1.
>
>
> And from upstream changelog ( 
> http://www.spamdyke.org/documentation/Changelog.txt ):
>
>  Changed smtp_filter() and middleman() to discard any buffered input after TLS
>     is started.  This prevents the injection of commands into a secure session
>     by sending extra input in the same packet as the "STARTTLS" command.  Not
>     really a security problem but good practice anyway.  Thanks to Eric 
> Shubert for reporting this one.
>
>
> Sorry Kurt, but atm, I have not found the commit code.
>
>
Thanks, this helped clarify it a lot. Please use CVE-2012-0070 for this
issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ