Vulnerability Note VU#555316
STARTTLS plaintext command injection vulnerability
Some STARTTLS implementations could allow a remote attacker to inject commands during the plaintext phase of the protocol.
STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Some implementations of STARTTLS contain a vulnerability that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase, that will be executed during the ciphertext protocol phase. This vulnerability is caused by the switch from plaintext to TLS being implemented below the application's I/O buffering layer.
This issue is only of practical concern for affected implementations that also perform correct certificate validation. Implementations which do not perform certificate validation are already inherently vulnerable to man-in-the-middle attacks.
A remote attacker with the ability to pose as a man-in-the-middle may be able to inject commands for the corresponding protocol (e.g., SMTP, POP3, etc.) during the plaintext protocol phase, that will then be executed during the ciphertext protocol phase.
Purge the application I/O buffer
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cyrus-IMAP||Affected||-||17 May 2011|
|Debian GNU/Linux||Affected||-||11 May 2011|
|Ipswitch, Inc||Affected||21 Jan 2011||01 Mar 2011|
|Kerio Technologies||Affected||19 Jan 2011||01 Mar 2011|
|Postfix||Affected||-||03 Mar 2011|
|Qmail-TLS||Affected||19 Jan 2011||07 Mar 2011|
|Red Hat, Inc.||Affected||19 Jan 2011||07 Apr 2011|
|Sun Microsystems, Inc.||Affected||19 Jan 2011||01 Mar 2011|
|Ubuntu||Affected||-||11 May 2011|
|Watchguard Technologies, Inc.||Affected||19 Jan 2011||14 Apr 2011|
|Blue Coat Systems||Not Affected||19 Jan 2011||28 Mar 2011|
|EXIM||Not Affected||07 Mar 2011||14 Mar 2011|
|Force10 Networks, Inc.||Not Affected||19 Jan 2011||22 Jul 2011|
|Fortinet, Inc.||Not Affected||19 Jan 2011||16 Mar 2011|
|Global Technology Associates, Inc.||Not Affected||19 Jan 2011||14 Mar 2011|
CVSS Metrics (Learn More)
Thanks to Wietse Venema for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2011-0411 CVE-2011-1430 CVE-2011-1431 CVE-2011-1432 CVE-2011-1575
- Date Public: 07 Mar 2011
- Date First Published: 07 Mar 2011
- Date Last Updated: 08 Sep 2011
- Severity Metric: 1.39
- Document Revision: 52
If you have feedback, comments, or additional information about this vulnerability, please send us email.