Overview
The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.
Description
Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains. |
Impact
An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges. |
Solution
Apply an update This issue is resolved in Inetc builds starting September 6, 2015. This version no longer passes any SECURITY_FLAG_IGNORE_* flags to WinINet by default. |
Only install software while connected to a trusted network |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.3 | AV:A/AC:M/Au:N/C:C/I:C/A:-- |
| Temporal | 7.3 | E:H/RL:U/RC:C |
| Environmental | 7.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2015-0941 |
| Date Public: | 2011-01-31 |
| Date First Published: | 2015-03-20 |
| Date Last Updated: | 2015-09-08 15:54 UTC |
| Document Revision: | 27 |