Vulnerability Note VU#555316

STARTTLS plaintext command injection vulnerability

Original Release date: 07 Mar 2011 | Last revised: 08 Sep 2011

Overview

Some STARTTLS implementations could allow a remote attacker to inject commands during the plaintext phase of the protocol.

Description

STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Some implementations of STARTTLS contain a vulnerability that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase, that will be executed during the ciphertext protocol phase. This vulnerability is caused by the switch from plaintext to TLS being implemented below the application's I/O buffering layer.

This issue is only of practical concern for affected implementations that also perform correct certificate validation. Implementations which do not perform certificate validation are already inherently vulnerable to man-in-the-middle attacks.

Note: Not all implementations of STARTTLS are affected by this vulnerability. Some implementations of Simple Authentication and Security Layer (SASL) could also be affected by this vulnerability. Please see the Vendor Information below for specific vendor information.

Impact

A remote attacker with the ability to pose as a man-in-the-middle may be able to inject commands for the corresponding protocol (e.g., SMTP, POP3, etc.) during the plaintext protocol phase, that will then be executed during the ciphertext protocol phase.

Solution

Update

Please see the Vendor Information below for specific vendor information and patches.

Purge the application I/O buffer

Developers of STARTTLS-enabled applications should take care to purge the application's I/O buffer immediately after switching to TLS in order to mitigate this vulnerability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Cyrus-IMAPAffected-17 May 2011
Debian GNU/LinuxAffected-11 May 2011
Ipswitch, IncAffected21 Jan 201101 Mar 2011
Kerio TechnologiesAffected19 Jan 201101 Mar 2011
PostfixAffected-03 Mar 2011
Qmail-TLSAffected19 Jan 201107 Mar 2011
Red Hat, Inc.Affected19 Jan 201107 Apr 2011
Sun Microsystems, Inc.Affected19 Jan 201101 Mar 2011
UbuntuAffected-11 May 2011
Watchguard Technologies, Inc.Affected19 Jan 201114 Apr 2011
Blue Coat SystemsNot Affected19 Jan 201128 Mar 2011
EXIMNot Affected07 Mar 201114 Mar 2011
Force10 Networks, Inc.Not Affected19 Jan 201122 Jul 2011
Fortinet, Inc.Not Affected19 Jan 201116 Mar 2011
Global Technology Associates, Inc.Not Affected19 Jan 201114 Mar 2011
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Wietse Venema for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.