stunnel < 5.12 OpenSSL Multiple Vulnerabilities

Medium Nessus Plugin ID 82077

Synopsis

The remote Windows host contains a program that is affected by multiple vulnerabilities.

Description

The version of stunnel installed on the remote host is prior to version 5.12. It is, therefore, affected by the following vulnerabilities in the bundled OpenSSL library :

- A flaw exists in the DTLSv1_listen() function due to state information being preserved in the SSL object from one invocation to the next. A remote attacker can exploit this, via crafted DTLS traffic, to cause a segmentation fault, resulting in a denial of service.
(CVE-2015-0207)

- A flaw exists in the rsa_item_verify() function due to improper implementation of ASN.1 signature verification.
A remote attacker can exploit this, via an ASN.1 signature using the RSA PSS algorithm and invalid parameters, to cause a NULL pointer dereference, resulting in a denial of service. (CVE-2015-0208)

- A use-after-free error exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209)

- A flaw exists in the ssl3_client_hello() function due to improper validation of a PRNG seed before proceeding with a handshake, resulting in insufficient entropy and predictable output. A man-in-the-middle attacker can exploit this to defeat cryptographic protection mechanisms via a brute-force attack, resulting in the disclosure of sensitive information. (CVE-2015-0285)

- An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service.
(CVE-2015-0286)

- A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize 'CHOICE' and 'ADB' data structures when reusing a structure in ASN.1 parsing. A remote attacker can exploit this to cause an invalid write operation and memory corruption, resulting in a denial of service. (CVE-2015-0287)

- A NULL pointer dereference flaw exists in the X509_to_X509_REQ() function due to improper processing of certificate keys. This allows a remote attacker, via a crafted X.509 certificate, to cause a denial of service. (CVE-2015-0288)

- A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing outer ContentInfo. This allows a remote attacker, using an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, to cause a denial of service. (CVE-2015-0289)

- A flaw exists with the 'multiblock' feature in the ssl3_write_bytes() function due to improper handling of certain non-blocking I/O cases. This allows a remote attacker to cause failed connections or a segmentation fault, resulting in a denial of service. (CVE-2015-0290)

- A NULL pointer dereference flaw exists when handling clients attempting to renegotiate using an invalid signature algorithm extension. A remote attacker can exploit this to cause a denial of service.
(CVE-2015-0291)

- A flaw exists in servers that both support SSLv2 and enable export cipher suites due to improper implementation of SSLv2. A remote attacker can exploit this, via a crafted CLIENT-MASTER-KEY message, to cause a denial of service. (CVE-2015-0293)

- A flaw exists in the ssl3_get_client_key_exchange() function when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled. A remote attacker can exploit this, via a ClientKeyExchange message with a length of zero, to cause a denial of service. (CVE-2015-1787)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Stunnel 5.12 or later.

See Also

https://www.openssl.org/news/secadv/20150319.txt

http://www.nessus.org/u?cdf29d06

Plugin Details

Severity: Medium

ID: 82077

File Name: stunnel_5_12.nasl

Version: 1.14

Type: local

Agent: windows

Family: Windows

Published: 2015/03/25

Updated: 2018/07/30

Dependencies: 65689

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:stunnel:stunnel

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/03/19

Vulnerability Publication Date: 2015/03/19

Reference Information

CVE: CVE-2015-0207, CVE-2015-0208, CVE-2015-0209, CVE-2015-0285, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0293, CVE-2015-1787

BID: 73225, 73226, 73227, 73229, 73230, 73231, 73232, 73234, 73235, 73237, 73238, 73239