nginx < 1.6.1 / 1.7.4 SMTP STARTTLS Command Injection

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a command injection
vulnerability.

Description :

According to the self-reported version in the server response header,
the version of nginx installed on the remote host is 1.5.6 or higher,
1.6.x prior to 1.6.1, or 1.7.x prior to 1.7.4. It is, therefore,
affected by a command injection vulnerability.

A flaw exists in the function 'ngx_mail_smtp_starttls' within the file
'src/mail/ngx_mail_smtp_handler.c' whereby input to the STARTTLS
command is not properly sanitized. This could allow a remote attacker
in a privileged network position to obtain sensitive information by
injecting commands into an SSL session.

Note that this issue is exploitable only when nginx is used as an SMTP
proxy.

See also :

http://nginx.org/en/security_advisories.html
http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html
http://nginx.org/download/patch.2014.starttls.txt
http://nginx.org/en/CHANGES
http://nginx.org/en/CHANGES-1.6

Solution :

Apply the patch manually, or upgrade to nginx 1.6.1 / 1.7.4 or later.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 3.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 77246 ()

Bugtraq ID: 69111

CVE ID: CVE-2014-3556

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now