Overview
Some STARTTLS implementations could allow a remote attacker to inject commands during the plaintext phase of the protocol.
Description
STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Some implementations of STARTTLS contain a vulnerability that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase, that will be executed during the ciphertext protocol phase. This vulnerability is caused by the switch from plaintext to TLS being implemented below the application's I/O buffering layer. This issue is only of practical concern for affected implementations that also perform correct certificate validation. Implementations which do not perform certificate validation are already inherently vulnerable to man-in-the-middle attacks. |
Impact
A remote attacker with the ability to pose as a man-in-the-middle may be able to inject commands for the corresponding protocol (e.g., SMTP, POP3, etc.) during the plaintext protocol phase, that will then be executed during the ciphertext protocol phase. |
Solution
Update |
Purge the application I/O buffer |
Vendor Information
Cyrus-IMAP Affected
Updated: May 17, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Debian GNU/Linux Affected
Updated: May 11, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Ipswitch, Inc Affected
Notified: January 21, 2011 Updated: March 01, 2011
Status
Affected
Vendor Statement
We will work on addressing this vulnerability in an upcoming release of IMail.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Kerio Technologies Affected
Notified: January 19, 2011 Updated: March 01, 2011
Status
Affected
Vendor Statement
We are going to resolve the issue in the next product version.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Postfix Affected
Updated: March 03, 2011
Status
Affected
Vendor Statement
Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was
introduced with Postfix version 2.2.
Postfix 2.8 and 2.9 are not affected.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Qmail-TLS Affected
Notified: January 19, 2011 Updated: March 07, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Q-Mail has released a patch to address this vulnerability.
Vendor References
Addendum
Note that Qmail-TLS is a third-party extension for the qmail software.
Because STARTTLS is not supported by default in either the original qmail distribution or the netqmail distribution, those distributions are not vulnerable to this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: January 19, 2011 Updated: April 07, 2011
Status
Affected
Vendor Statement
Vulnerable. This issue affects postfix packages in Red Hat Enterprise
Linux 4, 5, and 6. The Red Hat Security Response Team has rated this
issue as having moderate security impact, a future update will address
this flaw.
This issue did not affect the versions of the sendmail package as shipped
with Red Hat Enterprise Linux 3, 4, 5, or 6, as Sendmail by switching to
SMTP over TLS replaces the entire received SMTP commands stream, along
with its read/write buffers and read/write functions.
This issue did not affect the versions of the exim package as shipped
with Red Hat Enterprise Linux 4 and 5, as Exim by switching to SMTP over
TLS replaces plaintext read/write functions with TLS read/write functions.
Vendor Information
Red Hat has released updated postfix packages, for:
Red Hat Enterprise Linux 4 and 5:
- https://rhn.redhat.com/errata/RHSA-2011-0423.html
- https://bugzilla.redhat.com/show_bug.cgi?id=674814#c27
Vendor References
http://www.redhat.com/security/data/cve/CVE-2011-0411.html
https://rhn.redhat.com/errata/RHSA-2011-0422.html
https://bugzilla.redhat.com/show_bug.cgi?id=674814#c26
https://rhn.redhat.com/errata/RHSA-2011-0423.html
https://bugzilla.redhat.com/show_bug.cgi?id=674814#c27Addendum
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Vendor References
Sun Microsystems, Inc. Affected
Notified: January 19, 2011 Updated: March 01, 2011
Status
Affected
Vendor Statement
The issue is being fixed in affected products and would be announced in a quarterly Oracle Critical Patch update.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu Affected
Updated: May 11, 2011
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- https://launchpad.net/ubuntu/+source/postfix/2.8.2-1ubuntu2.1
- https://launchpad.net/ubuntu/+source/postfix/2.7.1-1ubuntu0.2
- https://launchpad.net/ubuntu/+source/postfix/2.7.0-1ubuntu0.2
- https://launchpad.net/ubuntu/+source/postfix/2.5.1-2ubuntu1.4
- https://launchpad.net/ubuntu/+source/postfix/2.2.10-1ubuntu0.4
Watchguard Technologies, Inc. Affected
Notified: January 19, 2011 Updated: April 14, 2011
Status
Affected
Vendor Statement
TLS Command Injection Vulnerability: A TLS Hotfix is available for XCS version 9.0 and 9.1 to resolve a potential command injection vulnerability in the TLS over SMTP implementation. The vulnerability makes it possible to allow a man-in-the-middle to inject commands during the plaintext protocol phase, that would be executed during the ciphertext protocol phase. A full description of the vulnerability is described in CERT Vulnerability Note VU#555316. This fix
is included in the XCS 9.0 Update 1 as well as the XCS 9.1 TLS Hotfix updates
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Blue Coat Systems Not Affected
Notified: January 19, 2011 Updated: March 28, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EXIM Not Affected
Notified: March 07, 2011 Updated: March 14, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Force10 Networks, Inc. Not Affected
Notified: January 19, 2011 Updated: July 22, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fortinet, Inc. Not Affected
Notified: January 19, 2011 Updated: March 16, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Global Technology Associates, Inc. Not Affected
Notified: January 19, 2011 Updated: March 14, 2011
Status
Not Affected
Vendor Statement
GTA's GB-OS based firewalls are not affected by this vulnerability.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: March 07, 2011 Updated: March 14, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NetApp Not Affected
Notified: January 19, 2011 Updated: March 15, 2011
Status
Not Affected
Vendor Statement
No NetApp Data ONTAP(R) products are vulnerable to this issue.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Novell, Inc. Not Affected
Notified: January 19, 2011 Updated: March 03, 2011
Status
Not Affected
Vendor Statement
Our GroupWise Engineering team does not feel that we are vulnerable to this issue
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Palo Alto Networks Not Affected
Notified: January 19, 2011 Updated: March 01, 2011
Status
Not Affected
Vendor Statement
We are not vulnerable to it.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
The SCO Group Not Affected
Notified: January 19, 2011 Updated: September 08, 2011
Status
Not Affected
Vendor Statement
The SCOoffice 4.2 product we ship does not currently support TLS and the product is not vulnerable for this reason.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Wind River Systems, Inc. Not Affected
Notified: January 19, 2011 Updated: March 14, 2011
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
3com Inc Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
AT&T Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Alcatel-Lucent Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
America Online Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Apache HTTP Server Project Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Avaya, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Barracuda Networks Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Belkin, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Borderware Technologies Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Check Point Software Technologies Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cisco Systems, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Clavister Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Computer Associates Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Courier-mta Unknown
Notified: January 27, 2011 Updated: January 27, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cray Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
EMC Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Enterasys Networks Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ericsson Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Extreme Networks Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
F5 Networks, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Foundry Networks, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fujitsu Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Google Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hitachi Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IP Infusion, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Intel Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Internet Security Systems, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Intoto Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Juniper Networks, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
M86 Security Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
McAfee Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nokia Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Nortel Networks, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Oracle Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Process Software Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Q1 Labs Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
QNX Software Systems Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
RadWare, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Redback Networks, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Unknown
Notified: March 14, 2011 Updated: March 14, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SafeNet Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Secureworx, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sendmail Consortium Unknown
Notified: March 07, 2011 Updated: March 07, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Silicon Graphics, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sony Corporation Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Stonesoft Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Symantec Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
U4EA Technologies, Inc. Unknown
Notified: March 07, 2011 Updated: March 07, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Unisys Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vyatta Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ZyXEL Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
eSoft, Inc. Unknown
Notified: January 19, 2011 Updated: January 19, 2011
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Wietse Venema for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2011-0411, CVE-2011-1430, CVE-2011-1431, CVE-2011-1432, CVE-2011-1575 |
| Severity Metric: | 1.39 |
| Date Public: | 2011-03-07 |
| Date First Published: | 2011-03-07 |
| Date Last Updated: | 2011-09-08 14:58 UTC |
| Document Revision: | 53 |