[Full-Disclosure] CGI.pm vulnerable to Cross-site Scripting.
2003-07-21T00:00:00
ID SECURITYVULNS:DOC:4875 Type securityvulns Reporter Securityvulns Modified 2003-07-21T00:00:00
Description
Advisory Title: CGI.pm vulnerable to Cross-site Scripting.
Release Date: July 19 2003
Application: CGI.pm - which is by default included in many common Perl
distributions.
Platform: Most platforms. Tested on Apache and IIS.
Version: CGI.pm
Severity: Effects scripts which make use of start_form()
Author:
Obscure^
[ obscure@eyeonsecurity.org ]
Vendor Status:
first informed on 30th April 2003
Although the author told EoS that he will be releasing a fix within a
week from his last correspondence (May15), no fix is out yet on his
website.
(extracted from
http://stein.cshl.org/WWW/software/CGI/)
This perl 5 library uses objects to create Web fill-out forms on the fly
and to parse their contents. It provides a simple interface for parsing
and interpreting query strings passed to CGI scripts. However, it also
offers a rich set of functions for creating fill-out forms. Instead of
remembering the syntax for HTML form elements, you just make a series of
perl function calls. An important fringe benefit of this is that the
value of the previous query is used to initialize the form, so that the
state of the form is preserved from invocation to invocation. .
Problem
CGI.pm has the ability to create forms by making use of the start_form()
function. The developer/perl scripter can also makes use of
start_multipart_form() which relies on start_form() and is therefore
vulnerable to the same issue. When the action for the form is not
specified, it is given the value of $self->url(-absolute=>1,-path=>1) -
which means that when the url is something like the following :
http://host/script.pl?">some%20text<!--%20
.. the form becomes <form action="http://host/script.pl">some text<!-- "
>
In such case, it is possible to exploit this issue to launch a Cross
Site Scripting attack.
I fixed my CGI.pm by adding the following code at line 1537
$action =~ s/\"/\%22/g;
Disclaimer.
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.
Feedback.
Please send suggestions, updates, and comments to:
Eye on Security
mail : obscure@eyeonsecurity.org
web : http://www.eyeonsecurity.org
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
{"id": "SECURITYVULNS:DOC:4875", "bulletinFamily": "software", "title": "[Full-Disclosure] CGI.pm vulnerable to Cross-site Scripting.", "description": "Advisory Title: CGI.pm vulnerable to Cross-site Scripting. \r\nRelease Date: July 19 2003\r\n\r\nApplication: CGI.pm - which is by default included in many common Perl\r\ndistributions. \r\n\r\n\r\nPlatform: Most platforms. Tested on Apache and IIS. \r\n\r\nVersion: CGI.pm \r\n\r\nSeverity: Effects scripts which make use of start_form()\r\n\r\nAuthor: \r\nObscure^ \r\n[ obscure@eyeonsecurity.org ]\r\n\r\nVendor Status: \r\nfirst informed on 30th April 2003\r\nAlthough the author told EoS that he will be releasing a fix within a\r\nweek from his last correspondence (May15), no fix is out yet on his\r\nwebsite.\r\n\r\n\r\nWeb: \r\n\r\nhttp://stein.cshl.org/WWW/software/CGI/\r\nhttp://eyeonsecurity.org/advisories/\r\n\r\n\r\nBackground.\r\n\r\n(extracted from \r\nhttp://stein.cshl.org/WWW/software/CGI/)\r\n\r\nThis perl 5 library uses objects to create Web fill-out forms on the fly\r\nand to parse their contents. It provides a simple interface for parsing\r\nand interpreting query strings passed to CGI scripts. However, it also\r\noffers a rich set of functions for creating fill-out forms. Instead of\r\nremembering the syntax for HTML form elements, you just make a series of\r\nperl function calls. An important fringe benefit of this is that the\r\nvalue of the previous query is used to initialize the form, so that the\r\nstate of the form is preserved from invocation to invocation. .\r\n\r\n\r\nProblem\r\n\r\nCGI.pm has the ability to create forms by making use of the start_form()\r\nfunction. The developer/perl scripter can also makes use of\r\nstart_multipart_form() which relies on start_form() and is therefore\r\nvulnerable to the same issue. When the action for the form is not\r\nspecified, it is given the value of $self->url(-absolute=>1,-path=>1) -\r\nwhich means that when the url is something like the following :\r\n\r\nhttp://host/script.pl?">some%20text<!--%20\r\n\r\n.. the form becomes <form action="http://host/script.pl">some text<!-- "\r\n>\r\n\r\nIn such case, it is possible to exploit this issue to launch a Cross\r\nSite Scripting attack. \r\n\r\nExploit Examples.\r\n\r\n--\r\n#!/usr/bin/perl\r\n# example of exploitable script\r\n#\r\n\r\nuse CGI;\r\n\r\n$q = new CGI;\r\nprint $q->header;\r\nprint $q->start_html('CGI.pm XSS');\r\nprint $q->start_form();\r\nprint $q->end_form();\r\nprint $q->end_html;\r\n\r\n--\r\n\r\nFix.\r\n\r\nI fixed my CGI.pm by adding the following code at line 1537\r\n\r\n$action =~ s/\"/\%22/g; \r\n\r\n\r\nDisclaimer.\r\n\r\nThe information within this document may change without notice. Use of\r\nthis information constitutes acceptance for use in an AS IS\r\ncondition. There are NO warranties with regard to this information.\r\nIn no event shall the author be liable for any consequences whatsoever\r\narising out of or in connection with the use or spread of this\r\ninformation. Any use of this information lays within the user's\r\nresponsibility.\r\n\r\n\r\nFeedback.\r\n\r\nPlease send suggestions, updates, and comments to:\r\n\r\nEye on Security\r\nmail : obscure@eyeonsecurity.org\r\nweb : http://www.eyeonsecurity.org\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "published": "2003-07-21T00:00:00", "modified": "2003-07-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4875", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB317244", "KB980408", "KB981401", "KB2410679", "KB2785908", "KB953331", "KB2404575", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": -0.4}, "affectedSoftware": [], "immutableFields": []}
{"rst": [{"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **121[.]165.163.189** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-15T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 4766: (First IP 121.164.117.0, Last IP 121.165.209.15).\nASN Name \"KIXSASKR\" and Organisation \"Korea Telecom\".\nASN hosts 634431 domains.\nGEO IP information: City \"Seoul\", Country \"South Korea\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-15T00:00:00", "id": "RST:47CFC196-4875-3D5D-AB58-141C39ACB737", "href": "", "published": "2021-04-10T00:00:00", "title": "RST Threat feed. IOC: 121.165.163.189", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]85.18.48** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-08T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 58762: (First IP 103.85.16.0, Last IP 103.85.19.255).\nASN Name \"CANDORASIN\" and Organisation \"Candor infosolution Pvt Ltd\".\nASN hosts 54 domains.\nGEO IP information: City \"Kanpur\", Country \"India\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-08T00:00:00", "id": "RST:0985B27A-4875-39D2-95AA-B444A4F68CEE", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 103.85.18.48", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **185[.]151.172.95** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-08T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 204064: (First IP 185.151.172.0, Last IP 185.151.175.255).\nASN Name \"TANET\" and Organisation \"\".\nASN hosts 4 domains.\nGEO IP information: City \"Tachov\", Country \"Czechia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-08T00:00:00", "id": "RST:AD8FE178-4875-300B-9F5E-EA8B33B07938", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 185.151.172.95", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **187[.]170.238.58** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-08T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 8151: (First IP 187.169.160.0, Last IP 187.172.255.255).\nASN Name \"\" and Organisation \"Uninet SA de CV\".\nASN hosts 9942 domains.\nGEO IP information: City \"Mexico City\", Country \"Mexico\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-08T00:00:00", "id": "RST:E8F974CA-4875-3D00-AFC5-D63FED53627C", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 187.170.238.58", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **183[.]88.107.22** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-08T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 45629: (First IP 183.88.0.0, Last IP 183.89.255.255).\nASN Name \"JASTELNETWORKTHAP\" and Organisation \"JasTel Network International Gateway\".\nASN hosts 1702 domains.\nGEO IP information: City \"Thalang\", Country \"Thailand\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-08T00:00:00", "id": "RST:AC9ECBD6-4875-3E8B-A5F9-A62551ECAC8E", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 183.88.107.22", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **118[.]37.220.54** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2021-03-19T03:00:00, Last seen: 2021-03-25T03:00:00.\n IOC tags: **shellprobe**.\nASN 4766: (First IP 118.36.202.0, Last IP 118.40.167.255).\nASN Name \"KIXSASKR\" and Organisation \"Korea Telecom\".\nASN hosts 626751 domains.\nGEO IP information: City \"Gimposi\", Country \"South Korea\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-19T00:00:00", "id": "RST:E34BA5E2-4875-33E6-A398-A641771821B6", "href": "", "published": "2021-03-26T00:00:00", "title": "RST Threat feed. IOC: 118.37.220.54", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-25T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **61[.]244.123.35** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **43**.\n First seen: 2021-03-19T03:00:00, Last seen: 2021-03-25T03:00:00.\n IOC tags: **shellprobe**.\nASN 9269: (First IP 61.244.120.0, Last IP 61.244.255.255).\nASN Name \"HKBNASAP\" and Organisation \"Hong Kong Broadband Network Ltd\".\nASN hosts 41357 domains.\nGEO IP information: City \"Tuen Mun\", Country \"Hong Kong\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-19T00:00:00", "id": "RST:76A91535-4875-3A2B-B83D-3EB677FA2E3F", "href": "", "published": "2021-03-26T00:00:00", "title": "RST Threat feed. IOC: 61.244.123.35", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://113[.]59.137.59:4875/mozi.m** in [RST Threat Feed](https://rstcloud.net/profeed) with score **53**.\n First seen: 2021-03-01T03:00:00, Last seen: 2021-03-14T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **mozi**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-01T00:00:00", "id": "RST:0D6D4991-CE58-300E-98C3-9135B15C8B2A", "href": "", "published": "2021-03-16T00:00:00", "title": "RST Threat feed. IOC: http://113.59.137.59:4875/mozi.m", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-09T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **119[.]182.60.91** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-26T03:00:00, Last seen: 2021-03-09T03:00:00.\n IOC tags: **generic**.\nASN 4837: (First IP 119.176.0.0, Last IP 119.191.255.255).\nASN Name \"CHINA169BACKBONE\" and Organisation \"CNCGROUP China169 Backbone\".\nASN hosts 561095 domains.\nGEO IP information: City \"Jinan\", Country \"China\".\nIOC could be a **False Positive** (May be a Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-26T00:00:00", "id": "RST:EA0CA088-4875-3356-AF33-1D698EE54A31", "href": "", "published": "2021-03-11T00:00:00", "title": "RST Threat feed. IOC: 119.182.60.91", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **188[.]249.165.36** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **40**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-03-10T03:00:00.\n IOC tags: **generic**.\nASN 47794: (First IP 188.249.96.0, Last IP 188.249.255.255).\nASN Name \"ATHEEBAS\" and Organisation \"\".\nASN hosts 86 domains.\nGEO IP information: City \"Riyadh\", Country \"Saudi Arabia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:3E050CEA-4875-3C07-B1CA-D63341E07A9C", "href": "", "published": "2021-03-11T00:00:00", "title": "RST Threat feed. IOC: 188.249.165.36", "type": "rst", "cvss": {}}], "nessus": [{"lastseen": "2021-04-03T02:11:11", "description": "A NULL pointer dereference was found in the signature_algorithms\nprocessing in OpenSSL, a Secure Sockets Layer toolkit, which could\nresult in denial of service.\n\nAdditional details can be found in the upstream advisory:\nhttps://www.openssl.org/news/secadv/20210325.txt", "edition": 4, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2021-03-26T00:00:00", "title": "Debian DSA-4875-1 : openssl - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-3449"], "modified": "2021-03-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:openssl"], "id": "DEBIAN_DSA-4875.NASL", "href": "https://www.tenable.com/plugins/nessus/148170", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4875. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148170);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/02\");\n\n script_cve_id(\"CVE-2021-3449\");\n script_xref(name:\"DSA\", value:\"4875\");\n script_xref(name:\"IAVA\", value:\"2021-A-0149\");\n\n script_name(english:\"Debian DSA-4875-1 : openssl - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A NULL pointer dereference was found in the signature_algorithms\nprocessing in OpenSSL, a Secure Sockets Layer toolkit, which could\nresult in denial of service.\n\nAdditional details can be found in the upstream advisory:\nhttps://www.openssl.org/news/secadv/20210325.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openssl.org/news/secadv/20210325.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/openssl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/openssl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4875\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the openssl packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.1.1d-0+deb10u6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3449\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libcrypto1.1-udeb\", reference:\"1.1.1d-0+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libssl-dev\", reference:\"1.1.1d-0+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libssl-doc\", reference:\"1.1.1d-0+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libssl1.1\", reference:\"1.1.1d-0+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libssl1.1-udeb\", reference:\"1.1.1d-0+deb10u6\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"openssl\", reference:\"1.1.1d-0+deb10u6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2021-04-01T13:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2021-3449"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4875-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 25, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openssl\nCVE ID : CVE-2021-3449\n\nA NULL pointer dereference was found in the signature_algorithms\nprocessing in OpenSSL, a Secure Sockets Layer toolkit, which could\nresult in denial of service.\n\nAdditional details can be found in the upstream advisory:\nhttps://www.openssl.org/news/secadv/20210325.txt\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.1.1d-0+deb10u6.\n\nWe recommend that you upgrade your openssl packages.\n\nFor the detailed security status of openssl please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/openssl\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2021-03-25T15:41:48", "published": "2021-03-25T15:41:48", "id": "DEBIAN:DSA-4875-1:AE1B0", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2021/msg00056.html", "title": "[SECURITY] [DSA 4875-1] openssl security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2021-04-02T12:42:18", "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).", "edition": 14, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-25T15:15:00", "title": "CVE-2021-3449", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3449"], "modified": "2021-04-02T02:15:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:windriver:linux:17.0", "cpe:/o:windriver:linux:-", "cpe:/o:netapp:santricity_smi-s_provider_firmware:-", "cpe:/o:freebsd:freebsd:12.2", "cpe:/o:windriver:linux:19.0", "cpe:/o:windriver:linux:18.0", "cpe:/o:netapp:storagegrid_firmware:-"], "id": "CVE-2021-3449", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3449", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:windriver:linux:-:*:*:*:cd:*:*:*", "cpe:2.3:o:windriver:linux:18.0:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:storagegrid_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:*", "cpe:2.3:o:windriver:linux:19.0:*:*:*:lts:*:*:*", "cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:windriver:linux:17.0:*:*:*:lts:*:*:*", "cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-04-02T03:16:55", "bulletinFamily": "info", "cvelist": ["CVE-2021-3449", "CVE-2021-3450"], "description": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).\n\n \n**Recent assessments:** \n \n**zeroSteiner** at March 26, 2021 2:54pm UTC reported:\n\nThe exploitation of this vulnerability would be most easily accomplished using a patched version of OpenSSL to modify the extensions sent within the ClientHello of the renegotiation. Successful exploitation of this vulnerability is likely limited to a Denial of Service condition. Allocating and setting the contents of the NULL page is extremely unlikely from the vantage point of a remote attacker.\n\nThe following patch can be applied to OpenSSL 1.1.1k (commit [fd78df59](<https://github.com/openssl/openssl/commit/fd78df59b0f656aefe96e39533130454aa957c00>)) to generate a build capable of reproducing the vulnerability.\n \n \n index ce8a75794c..3e3f774dab 100644\n --- a/ssl/statem/extensions_clnt.c\n +++ b/ssl/statem/extensions_clnt.c\n @@ -272,7 +272,7 @@ EXT_RETURN tls_construct_ctos_sig_algs(SSL *s, WPACKET *pkt,\n return EXT_RETURN_NOT_SENT;\n \n salglen = tls12_get_psigalgs(s, 1, &salg);\n - if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_signature_algorithms)\n + if (!WPACKET_put_bytes_u16(pkt, (s->renegotiate ? TLSEXT_TYPE_signature_algorithms_cert : TLSEXT_TYPE_signature_algorithms))\n /* Sub-packet for sig-algs extension */\n || !WPACKET_start_sub_packet_u16(pkt)\n /* Sub-packet for the actual list */\n \n\nWhat this change is doing is swapping the `signature_algorithms` extension for `signature_algorithms_cert` when the SSL context is renegotiating.\n\nWith a patched version of OpenSSL built, run the openssl client, specifying TLS version 1.2 and renegotiate.\n \n \n echo R | apps/openssl s_client -connect target:443 -msg -tls1_2\n \n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 4\n", "modified": "2021-04-01T00:00:00", "published": "2021-03-25T00:00:00", "id": "AKB:93D7F9FF-1F51-45C7-8172-B3E45415E966", "href": "https://attackerkb.com/topics/DMtqBir1bn/openssl-tls-server-crash-null-pointer-dereference-cve-2021-3449", "type": "attackerkb", "title": "OpenSSL TLS Server Crash (NULL pointer dereference) \u2014 CVE-2021-3449", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}
