The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

POP3 Service STLS Plaintext Command Injection

Discussion in 'Security' started by redbeck, Mar 5, 2012.

  1. redbeck

    redbeck Member

    Joined:
    Nov 19, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    We are currently upgrading a server to meet PCI compliance standards, however we are currently stuck on 2 vunerabilities:-

    The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.

    The remote POP3 service contains a software flaw in its STLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase.
    Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.

    The output from the test was:

    Nessus sent the following two commands in a single packet :
    STLS\r\nCAPA\r\n
    And the server sent the following two responses :
    +OK Begin SSL/TLS negotiation now. +OK Here's what I can do:

    IMAP suffers from a similar problem, The remote IMAP service contains a software flaw in its STARTTLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase.

    Anyone have any ideas as it just says Contact the vendor to see if an update is available. We are running Exim 4.76 and use standard imap / pop3 services provided by cpanel. WHM 11.30.6 (build 3).

    Could it be anything to do with how these services are compiled with OpenSSL, or an issue with Openssl itself?
     
  2. redbeck

    redbeck Member

    Joined:
    Nov 19, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I'm coming to the conclusion that this is a false positive. Exim does not seem to have a stream abstraction like Postfix, Sendmail or qmail. Instead of replacing streams or stream properties, Exim replaces plaintext read/write functions with TLS read/write functions. Because of their program structure, Sendmail and Exim didn't suffer from the plaintext injection flaw.

    More at SecurityFocus
     
Loading...

Share This Page