stunnel < 5.00 PRNG State Security Weakness

2014-03-2600:00:00

www.tenable.com

The version of stunnel installed on the remote host is prior to version 5.00. It is, therefore, affected by a security weakness due to the PRNG state not being reset for new connections where the server forks. A remote attacker can exploit this issue to disclose sensitive information, such as the private key used for EC (ECDSA) or DSA certificates.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73212);
  script_version("1.7");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2014-0016");
  script_bugtraq_id(65964);

  script_name(english:"stunnel < 5.00 PRNG State Security Weakness");
  script_summary(english:"Checks version of stunnel.exe.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a program that is affected by a
security weakness.");
  script_set_attribute(attribute:"description", value:
"The version of stunnel installed on the remote host is prior to
version 5.00. It is, therefore, affected by a security weakness due to
the PRNG state not being reset for new connections where the server
forks. A remote attacker can exploit this issue to disclose sensitive
information, such as the private key used for EC (ECDSA) or DSA
certificates.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.stunnel.org/?page=sdf_ChangeLog");
  # https://www.stunnel.org/pipermail/stunnel-announce/2014-March/000074.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6daa163b");
  script_set_attribute(attribute:"solution", value:"Upgrade to stunnel version 5.00 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/03/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:stunnel:stunnel");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("stunnel_installed.nasl");
  script_require_keys("installed_sw/stunnel");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

app = 'stunnel';
install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);

version = install["version"];
path = install["path"];

# Affected < 5.00
if (version =~ "^[0-4]($|[^0-9])")
{
  port = get_kb_item("SMB/transport");
  if (!port) port = 445;

  report =
    '\n  Path              : ' + path +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 5.00\n';
  security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

VendorProductVersionCPE
stunnelstunnelcpe:/a:stunnel:stunnel

Vendor	Product	Version	CPE
stunnel	stunnel		cpe:/a:stunnel:stunnel

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0016

www.nessus.org/u?6daa163b

www.stunnel.org/?page=sdf_ChangeLog

JSON

Related for STUNNEL_5_00.NASL