Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3523

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2012-3523
Last Modified 21 Feb 2013 11:39:11
Published 11 Nov 2012 08:00:46
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-3523

Summary

The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

Vulnerable Systems

Application

  • Isc Inn 1.4

  • Isc Inn 1.4sec

  • Isc Inn 1.4sec2

  • Isc Inn 1.4unoff3

  • Isc Inn 1.4unoff4

  • Isc Inn 1.5

  • Isc Inn 1.5.1

  • Isc Inn 1.7

  • Isc Inn 1.7.2

  • Isc Inn 2.0

  • Isc Inn 2.1

  • Isc Inn 2.2

  • Isc Inn 2.2.1

  • Isc Inn 2.2.2

  • Isc Inn 2.2.3

  • Isc Inn 2.4.0

  • Isc Inn 2.5.2


References

MANDRIVA - MDVSA-2012:156

SUSE - openSUSE-SU-2012:1171

SECUNIA - 50661

Related Patches

Novell SUSE 2012:6774 inn security update for SLES 11 SP2 i586

Novell SUSE 2012:6774 inn security update for SLES 11 SP2 x86_64

Novell SUSE 2012:8276 inn security update for SLES 10 SP4 x86_64

Novell SUSE 2012:8276 inn security update for SLES 10 SP4 i586


Last Updated: 27 May 2016 10:56:40