NSIS Inetc plug-in fails to validate SSL certificates

2015-03-20T00:00:00
ID VU:894897
Type cert
Reporter CERT
Modified 2015-09-08T15:54:00

Description

Overview

The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.

Description

Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains.


Impact

An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges.


Solution

Apply an update

This issue is resolved in Inetc builds starting September 6, 2015. This version no longer passes any SECURITY_FLAG_IGNORE_* flags to WinINet by default.


Only install software while connected to a trusted network

Because the Inetc plugin does not validate SSL certificates, any software installers that are NSIS-based should not be used while connected to a network that is either inherently untrusted, or one that has untrusted users on it.


Vendor Information

894897

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

CERT/CC __ Affected

Updated: March 20, 2015

Status

Affected

Vendor Statement

The installer for FOE is affected. To minimize the risk of installing FOE on an untrusted network use the installer on the ISO.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://www.cert.org/vulnerability-analysis/tools/foe.cfm>

Dropbox __ Affected

Notified: March 03, 2015 Updated: March 20, 2015

Status

Affected

Vendor Statement

Dropbox patched its service within hours of notification, and the fix went live on March 4, 2015. All Dropbox clients are safe, and there is no evidence to indicate the vulnerability was ever exploited. Users are not vulnerable and don't need to take any action.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Dropbox 3.2.9 addresses this issue by performing additional validation of downloaded files.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nullsoft Affected

Notified: January 31, 2011 Updated: February 25, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://nsis.sourceforge.net/Inetc_plug-in>

AVG Anti-virus Software __ Not Affected

Notified: February 25, 2015 Updated: February 26, 2015

Statement Date: February 26, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

AVG is not using NSIS for installation.
The only thing that ties to NSIS is that AVG scanning engine can unpack and scan NSIS installation packages.

Unify Inc __ Not Affected

Notified: February 25, 2015 Updated: March 23, 2015

Status

Not Affected

Vendor Statement

Unify is using the NSIS in parts of its product portfolio, but only in the context of its own SW provisioning and update processes, that provide appropriate integrity protection. The Inetc plugin of NSIS is not used.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

7-Zip.org Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AMD Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Adobe Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Amazon Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DivX, Inc. Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeRADIUS Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mozilla Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenVPN Technologies Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Pidgin Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VideoLAN Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wireshark Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Xen Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Yahoo, Inc. Unknown

Notified: February 25, 2015 Updated: February 25, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 26 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 7.3 | AV:A/AC:M/Au:N/C:C/I:C/A:--
Temporal | 7.3 | E:H/RL:U/RC:C
Environmental | 7.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • <http://nsis.sourceforge.net>
  • <http://nsis.sourceforge.net/Inetc_plug-in>
  • <https://sourceforge.net/p/nsis/bugs/1022/>
  • <http://forums.winamp.com/showthread.php?p=3018645#post3018645>

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: | CVE-2015-0941
---|---
Date Public: | 2011-01-31
Date First Published: | 2015-03-20
Date Last Updated: | 2015-09-08 15:54 UTC
Document Revision: | 27