Multiple vendors STARTTLS command execution

multiple-starttls-command-execution (65932) The risk level is classified as HighHigh Risk

Description:

Multiple vendors could allow a remote attacker to execute arbitrary commands on the system, caused by an error within the STARTTLS implementation when upgrading from plaintext to a TLS connection. An attacker could exploit this vulnerability using man-in-the-middle techniques to inject SMTP commands during the plaintext protocol phase and executed during the ciphertext protocol phase.

*CVSS:

Base Score: 6.8
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: Partial
  Availability Impact: Partial
 
Temporal Score: 5
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Gain Access

Remedy:

Apply the appropriate update for your system. See References.

References:

  • Ipswitch, Inc. Web site: Mail Server, SMTP Server, Email Server - IMail Server.
  • Kolab Web Site: Announcing the Kolab Server 2.3.2.
  • Oracle Critical Patch Update Advisory - April 2011: Oracle Critical Patch Update Advisory - April 2011.
  • Postfix Web Site: Plaintext command injection in multiple implementations of STARTTLS (CVE-2011-0411) .
  • WatchGuard Web site: Release Notes for WatchGuard XCS v9.1 TLS Hotfix.
  • BID-46767: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection Vulnerability
  • CVE-2011-0411: The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack.
  • CVE-2011-1430: The STARTTLS implementation in the server in Ipswitch IMail 11.03 and earlier does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
  • CVE-2011-1431: The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
  • CVE-2011-1432: The STARTTLS implementation in SCO SCOoffice Server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
  • CVE-2011-1506: The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and MailServer 6.x does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411. NOTE: some of these details are obtained from third party information.
  • CVE-2011-1575: The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411.
  • DSA-2233: postfix -- several vulnerabilities
  • OSVDB ID: 71020: Ipswitch IMail Server STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 71021: Postfix STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 71854: Kerio Connect STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 71855: Pure-FTPd STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 71946: Oracle Sun Java System Messaging Server SMTP Server / IMAP Server / POP Server STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 72186: Cyrus IMAP Server STARTTLS Arbitrary Plaintext Command Injection
  • OSVDB ID: 75014: SCO SCOoffice Server STARTTLS I/O Buffering MiTM Plaintext Command Injection
  • OSVDB ID: 75256: netqmail qmail-smtpd qmail-smtpd.c STARTTLS I/O Buffering MiTM Plaintext Command Injection
  • RHSA-2011-0422: Moderate: postfix security update
  • RHSA-2011-0423: Moderate: postfix security update
  • SA43646: Postfix STARTTLS Plaintext Injection Vulnerability
  • SA43676: Ipswitch IMail Server STARTTLS Plaintext Injection Vulnerability
  • SA43678: Kerio Connect STARTTLS Plaintext Injection Vulnerability
  • SA43988: Pure-FTPd STARTTLS Plaintext Injection Vulnerability
  • SA44301: Oracle Communications Messaging Server STARTTLS Plaintext Injection Vulnerability
  • SA44414: Cyrus IMAP Server STARTTLS Plaintext Injection Vulnerability
  • SA44863: Kolab Server Multiple Vulnerabilities
  • SA45857: SCOoffice Server "STARTTLS" Plaintext Injection Vulnerability
  • SUSE-SR:2011:008: SUSE Security Summary Report
  • SUSE-SR:2011:009: SUSE Security Summary Report
  • US-CERT VU#555316: STARTTLS plaintext command injection vulnerability

Platforms Affected:

  • Ipswitch IMail Server 11.01
  • Kolab Kolab Server 2.3
  • Postfix Postfix 2.4
  • Postfix Postfix 2.4.0
  • Postfix Postfix 2.4.1
  • Postfix Postfix 2.4.10
  • Postfix Postfix 2.4.11
  • Postfix Postfix 2.4.12
  • Postfix Postfix 2.4.13
  • Postfix Postfix 2.4.14
  • Postfix Postfix 2.4.15
  • Postfix Postfix 2.4.2
  • Postfix Postfix 2.4.3
  • Postfix Postfix 2.4.4
  • Postfix Postfix 2.4.5
  • Postfix Postfix 2.4.6
  • Postfix Postfix 2.4.7
  • Postfix Postfix 2.4.8
  • Postfix Postfix 2.4.9
  • Postfix Postfix 2.5.0
  • Postfix Postfix 2.5.1
  • Postfix Postfix 2.5.10
  • Postfix Postfix 2.5.11
  • Postfix Postfix 2.5.2
  • Postfix Postfix 2.5.3
  • Postfix Postfix 2.5.4
  • Postfix Postfix 2.5.5
  • Postfix Postfix 2.5.6
  • Postfix Postfix 2.5.7
  • Postfix Postfix 2.5.8
  • Postfix Postfix 2.5.9
  • Postfix Postfix 2.6
  • Postfix Postfix 2.6.0
  • Postfix Postfix 2.6.1
  • Postfix Postfix 2.6.2
  • Postfix Postfix 2.6.3
  • Postfix Postfix 2.6.4
  • Postfix Postfix 2.6.5
  • Postfix Postfix 2.6.6
  • Postfix Postfix 2.6.7
  • Postfix Postfix 2.6.8
  • Postfix Postfix 2.7.0
  • Postfix Postfix 2.7.1
  • Postfix Postfix 2.7.2
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4.8.z AS
  • RedHat Enterprise Linux 4.8.z ES
  • RedHat Enterprise Linux 5
  • RedHat Enterprise Linux 5 Client
  • RedHat Enterprise Linux 6 Workstation
  • RedHat Enterprise Linux 6 Server
  • RedHat Enterprise Linux Desktop 6
  • RedHat Enterprise Linux EUS 5.6.z
  • RedHat Enterprise Linux HPC Node 6
  • RedHat Enterprise Linux Long Life 5.6
  • RedHat Enterprise Linux Server EUS 6.0.z
  • Wietse Venema Postfix 2.3.0
  • Wietse Venema Postfix 2.3.1
  • Wietse Venema Postfix 2.3.10
  • Wietse Venema Postfix 2.3.11
  • Wietse Venema Postfix 2.3.12
  • Wietse Venema Postfix 2.3.13
  • Wietse Venema Postfix 2.3.14
  • Wietse Venema Postfix 2.3.2
  • Wietse Venema Postfix 2.3.3
  • Wietse Venema Postfix 2.3.4
  • Wietse Venema Postfix 2.3.5
  • Wietse Venema Postfix 2.3.6
  • Wietse Venema Postfix 2.3.7
  • Wietse Venema Postfix 2.3.8
  • Wietse Venema Postfix 2.3.9
  • Wietse Venema Postfix 2.4
  • Wietse Venema Postfix 2.4.0
  • Wietse Venema Postfix 2.4.1
  • Wietse Venema Postfix 2.4.2
  • Wietse Venema Postfix 2.4.3
  • Wietse Venema Postfix 2.4.4
  • Wietse Venema Postfix 2.4.5
  • Wietse Venema Postfix 2.4.6
  • Wietse Venema Postfix 2.4.7
  • Wietse Venema Postfix 2.4.8
  • Wietse Venema Postfix 2.5.0
  • Wietse Venema Postfix 2.5.1
  • Wietse Venema Postfix 2.5.2
  • Wietse Venema Postfix 2.5.3
  • Wietse Venema Postfix 2.5.4
  • Wietse Venema Postfix 2.5.5

Reported:

Mar 07, 2011

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.