search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

NSIS Inetc plug-in fails to validate SSL certificates

Vulnerability Note VU#894897

Original Release Date: 2015-03-20 | Last Revised: 2015-09-08

Overview

The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.

Description

Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains.

Impact

An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges.

Solution

Apply an update

This issue is resolved in Inetc builds starting September 6, 2015. This version no longer passes any SECURITY_FLAG_IGNORE_* flags to WinINet by default.

Only install software while connected to a trusted network

Because the Inetc plugin does not validate SSL certificates, any software installers that are NSIS-based should not be used while connected to a network that is either inherently untrusted, or one that has untrusted users on it.

Vendor Information

894897
 
Expand all

CERT/CC Affected

Updated:  March 20, 2015

Status

Affected

Vendor Statement

The installer for FOE is affected. To minimize the risk of installing FOE on an untrusted network use the installer on the ISO.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Dropbox Affected

Notified:  March 03, 2015 Updated: March 20, 2015

Status

Affected

Vendor Statement

Dropbox patched its service within hours of notification, and the fix went live on March 4, 2015. All Dropbox clients are safe, and there is no evidence to indicate the vulnerability was ever exploited. Users are not vulnerable and don't need to take any action.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Dropbox 3.2.9 addresses this issue by performing additional validation of downloaded files.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nullsoft Affected

Notified:  January 31, 2011 Updated: February 25, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

AVG Anti-virus Software Not Affected

Notified:  February 25, 2015 Updated: February 26, 2015

Statement Date:   February 26, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

AVG is not using NSIS for installation.
The only thing that ties to NSIS is that AVG scanning engine can unpack and scan NSIS installation packages.

Unify Inc Not Affected

Notified:  February 25, 2015 Updated: March 23, 2015

Status

Not Affected

Vendor Statement

Unify is using the NSIS in parts of its product portfolio, but only in the context of its own SW provisioning and update processes, that provide appropriate integrity protection. The Inetc plugin of NSIS is not used.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

7-Zip.org Unknown

Notified:  February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

    AMD Unknown

    Notified:  February 25, 2015 Updated: February 25, 2015

    Status

    Unknown

    Vendor Statement

    We have not received a statement from the vendor.

    Vendor References

      Adobe Unknown

      Notified:  February 25, 2015 Updated: February 25, 2015

      Status

      Unknown

      Vendor Statement

      We have not received a statement from the vendor.

      Vendor References

        Amazon Unknown

        Notified:  February 25, 2015 Updated: February 25, 2015

        Status

        Unknown

        Vendor Statement

        We have not received a statement from the vendor.

        Vendor References

          Debian GNU/Linux Unknown

          Notified:  February 25, 2015 Updated: February 25, 2015

          Status

          Unknown

          Vendor Statement

          We have not received a statement from the vendor.

          Vendor References

            DivX, Inc. Unknown

            Notified:  February 25, 2015 Updated: February 25, 2015

            Status

            Unknown

            Vendor Statement

            We have not received a statement from the vendor.

            Vendor References

              Ericsson Unknown

              Notified:  February 25, 2015 Updated: February 25, 2015

              Status

              Unknown

              Vendor Statement

              We have not received a statement from the vendor.

              Vendor References

                FreeRADIUS Unknown

                Notified:  February 25, 2015 Updated: February 25, 2015

                Status

                Unknown

                Vendor Statement

                We have not received a statement from the vendor.

                Vendor References

                  Google Unknown

                  Notified:  February 25, 2015 Updated: February 25, 2015

                  Status

                  Unknown

                  Vendor Statement

                  We have not received a statement from the vendor.

                  Vendor References

                    Intel Corporation Unknown

                    Notified:  February 25, 2015 Updated: February 25, 2015

                    Status

                    Unknown

                    Vendor Statement

                    We have not received a statement from the vendor.

                    Vendor References

                      McAfee Unknown

                      Notified:  February 25, 2015 Updated: February 25, 2015

                      Status

                      Unknown

                      Vendor Statement

                      We have not received a statement from the vendor.

                      Vendor References

                        Mozilla Unknown

                        Notified:  February 25, 2015 Updated: February 25, 2015

                        Status

                        Unknown

                        Vendor Statement

                        We have not received a statement from the vendor.

                        Vendor References

                          Nokia Unknown

                          Notified:  February 25, 2015 Updated: February 25, 2015

                          Status

                          Unknown

                          Vendor Statement

                          We have not received a statement from the vendor.

                          Vendor References

                            OpenVPN Technologies Unknown

                            Notified:  February 25, 2015 Updated: February 25, 2015

                            Status

                            Unknown

                            Vendor Statement

                            We have not received a statement from the vendor.

                            Vendor References

                              Oracle Corporation Unknown

                              Notified:  February 25, 2015 Updated: February 25, 2015

                              Status

                              Unknown

                              Vendor Statement

                              We have not received a statement from the vendor.

                              Vendor References

                                Pidgin Unknown

                                Notified:  February 25, 2015 Updated: February 25, 2015

                                Status

                                Unknown

                                Vendor Statement

                                We have not received a statement from the vendor.

                                Vendor References

                                  Ubuntu Unknown

                                  Notified:  February 25, 2015 Updated: February 25, 2015

                                  Status

                                  Unknown

                                  Vendor Statement

                                  We have not received a statement from the vendor.

                                  Vendor References

                                    VideoLAN Unknown

                                    Notified:  February 25, 2015 Updated: February 25, 2015

                                    Status

                                    Unknown

                                    Vendor Statement

                                    We have not received a statement from the vendor.

                                    Vendor References

                                      Wireshark Unknown

                                      Notified:  February 25, 2015 Updated: February 25, 2015

                                      Status

                                      Unknown

                                      Vendor Statement

                                      We have not received a statement from the vendor.

                                      Vendor References

                                        Xen Unknown

                                        Notified:  February 25, 2015 Updated: February 25, 2015

                                        Status

                                        Unknown

                                        Vendor Statement

                                        We have not received a statement from the vendor.

                                        Vendor References

                                          Yahoo, Inc. Unknown

                                          Notified:  February 25, 2015 Updated: February 25, 2015

                                          Status

                                          Unknown

                                          Vendor Statement

                                          We have not received a statement from the vendor.

                                          Vendor References

                                            View all 26 vendors View less vendors


                                            CVSS Metrics

                                            Group Score Vector
                                            Base 7.3 AV:A/AC:M/Au:N/C:C/I:C/A:--
                                            Temporal 7.3 E:H/RL:U/RC:C
                                            Environmental 7.3 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

                                            References

                                            Acknowledgements

                                            This vulnerability was reported by Will Dormann of the CERT/CC.

                                            This document was written by Will Dormann.

                                            Other Information

                                            CVE IDs: CVE-2015-0941
                                            Date Public: 2011-01-31
                                            Date First Published: 2015-03-20
                                            Date Last Updated: 2015-09-08 15:54 UTC
                                            Document Revision: 27

                                            Sponsored by CISA.

                                            Download PGP Key

                                            Read CERT/CC Blog

                                            Learn about Vulnerability Analysis