CVE-2012-3523
published 2012-11-11CVE-2012-3523: The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands…
PriorityP333medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
3.23%
86.7th percentile
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | inn | < inn2 2.5.3-1 (bookworm) | inn2 2.5.3-1 (bookworm) |
| debian | inn2 | < inn2 2.5.3-1 (bookworm) | inn2 2.5.3-1 (bookworm) |
| isc | inn | <= 2.5.2 | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
| isc | inn | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g67q-3725-x6h7: The STARTTLS implementation in nnrpd in INN before 2
ghsa_unreviewed·2022-05-17·CVSS 6.8
CVE-2012-3523 [MEDIUM] GHSA-g67q-3725-x6h7: The STARTTLS implementation in nnrpd in INN before 2
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
OSV
CVE-2012-3523: The STARTTLS implementation in nnrpd in INN before 2
osv·2012-11-11·CVSS 6.8
CVE-2012-3523 [MEDIUM] CVE-2012-3523: The STARTTLS implementation in nnrpd in INN before 2
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Red Hat
(nnrpd): Prone to STARTTLS plaintext command injection
vendor_redhat·2012-06-15·CVSS 6.8
CVE-2012-3523 [MEDIUM] (nnrpd): Prone to STARTTLS plaintext command injection
(nnrpd): Prone to STARTTLS plaintext command injection
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Statement: Not vulnerable. This issue did not affect the versions of inn as shipped with Red Hat Enterprise Linux 5 as they did not include support for the STARTTLS command.
Package: inn (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2012-3523: inn - The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restr...
vendor_debian·2012·CVSS 6.8
CVE-2012-3523 [MEDIUM] CVE-2012-3523: inn - The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restr...
The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection [fedora-all]
bugzilla·2012-08-21·CVSS 6.8
CVE-2012-3523 [MEDIUM] CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection [fedora-all]
CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type
Bugzilla
CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection
bugzilla·2012-08-21·CVSS 6.8
CVE-2012-3523 [MEDIUM] CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection
CVE-2012-3523 inn (nnrpd): Prone to STARTTLS plaintext command injection
The STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
References:
[1] https://www.isc.org/software/inn/2.5.3article
[2] https://bugs.gentoo.org/show_bug.cgi?id=432002
Relevant upstream patch
(the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part):
[3] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
Discussion:
This issue affects the version of the inn package, as shipped with Red Hat Enterpri
http://lists.opensuse.org/opensuse-updates/2012-09/msg00058.htmlhttp://secunia.com/advisories/50661http://www.mandriva.com/security/advisories?name=MDVSA-2012:156http://lists.opensuse.org/opensuse-updates/2012-09/msg00058.htmlhttp://secunia.com/advisories/50661http://www.mandriva.com/security/advisories?name=MDVSA-2012:156
2012-11-11
Published