[UNIX] Stunnel Format String Security Vulnerability

From: support@securiteam.com
Date: 01/04/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri,  4 Jan 2002 00:02:47 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Stunnel Format String Security Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.stunnel.org> Stunnel is an SSL wrapper able to act as an SSL
client or server, enabling non-SSL aware applications and servers to
utilize SSL encryption. In addition to the ability to perform as simple
SSL encryption/decryption engine, Stunnel can negotiate SSL with several
other protocols, such as SMTP's "STARTTLS" option, using the '-n
protocolname' flag. Doing so requires that Stunnel watch the initial
protocol handshake before beginning the SSL

There are format string bugs in each of the SMTP, POP, and NNTP client
negotiations as supplied with Stunnel versions 3.3 up to 3.21c.

DETAILS

Vulnerable systems:
Stunnel versions prior to 3.15

Immune systems:
Stunnel versions 3.15 and up

Impact:
If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options in
client mode ('-c'), a malicious server could abuse the format string bug
to run arbitrary code as the owner of the Stunnel process. The user that
runs Stunnel depends on how you start Stunnel. It may or may not be root
- you will need to check how you invoke Stunnel to be sure.

There is no vulnerability unless you are invoking Stunnel with the '-n
smtp', '-n pop', or '-n nntp' options in client mode. There are no format
string bugs in Stunnel when run as an SSL server.

Mitigating factors:
If you start Stunnel as root but have it change userid to some other user
using the '-s username' option, the Stunnel process will be running as
'username' instead of root when this bug is triggered. If this is the
case, the attacker can still trick your Stunnel process into running code
as 'username', but not as root.

When possible, we suggest running Stunnel as a non-root user whenever
possible, either using the '-s' option or starting it as a non-privileged
user.

Solution:
 * Upgrade to Stunnel-3.22, which is not vulnerable to these bugs

Or
 * Apply the following patch to your version of Stunnel and recompile:
 <http://www.stunnel.org/patches/desc/formatbug_ml.html>
http://www.stunnel.org/patches/desc/formatbug_ml.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:ml@netuse.de> Matthias Lange
and <mailto:bri@stunnel.org> Brian Hatch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages