Vulnerabilities > CVE-2003-0740 - Unspecified vulnerability in Stunnel

CVSS 4.6 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

local

low complexity

stunnel

nessus

exploit available

NVD

Published: 2003-10-20

Updated: 2016-10-18

Summary

Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server.

Vulnerable Configurations

Part	Description	Count
Application	Stunnel Stunnel Stunnel 3.3 Stunnel Stunnel 3.4A Stunnel Stunnel 3.7 Stunnel Stunnel 3.8 Stunnel Stunnel 3.9 Stunnel Stunnel 3.10 Stunnel Stunnel 3.11 Stunnel Stunnel 3.12 Stunnel Stunnel 3.13 Stunnel Stunnel 3.14 Stunnel Stunnel 3.15 Stunnel Stunnel 3.16 Stunnel Stunnel 3.17 Stunnel Stunnel 3.18 Stunnel Stunnel 3.19 Stunnel Stunnel 3.20 Stunnel Stunnel 3.21 Stunnel Stunnel 3.21A Stunnel Stunnel 3.21B Stunnel Stunnel 3.21C Stunnel Stunnel 3.22 Stunnel Stunnel 3.24 Stunnel Stunnel 4.0	23

Exploit-Db

description	Stunnel <= 3.24, 4.00 Daemon Hijacking Proof of Concept Exploit. CVE-2003-0740. Local exploit for linux platform
id	EDB-ID:91
last seen	2016-01-31
modified	2003-09-05
published	2003-09-05
reporter	Steve Grubb
source	https://www.exploit-db.com/download/91/
title	Stunnel <= 3.24/4.00 - Daemon Hijacking Proof of Concept Exploit

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2003-297.NASL
description	Updated stunnel packages are now available. These updates address problems stemming from improper use of non-reentrant functions in signal handlers. Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. A previous advisory provided updated packages to address re-entrancy problems in stunnel
last seen	2020-06-01
modified	2020-06-02
plugin id	12426
published	2004-07-06
reporter	This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/12426
title	RHEL 2.1 : stunnel (RHSA-2003:297)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:297. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12426); script_version ("1.27"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0740"); script_xref(name:"RHSA", value:"2003:297"); script_name(english:"RHEL 2.1 : stunnel (RHSA-2003:297)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "Updated stunnel packages are now available. These updates address problems stemming from improper use of non-reentrant functions in signal handlers. Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. A previous advisory provided updated packages to address re-entrancy problems in stunnel's signal-handling routines. These updates did not address other bugs that were found by Steve Grubb, and introduced an additional bug, which was fixed in stunnel 3.26. All users should upgrade to these errata packages, which address these issues by updating stunnel to version 3.26. NOTE: After upgrading, any instances of stunnel configured to run in daemon mode should be restarted, and any active network connections that are currently being serviced by stunnel should be terminated and reestablished." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0740" ); # http://marc.theaimsgroup.com/?l=stunnel-users&m=105980139926784 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=stunnel-users&m=105980139926784" ); # http://marc.theaimsgroup.com/?l=stunnel-users&m=106221975232250 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=stunnel-users&m=106221975232250" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=106260760211958 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=106260760211958" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:297" ); script_set_attribute( attribute:"solution", value:"Update the affected stunnel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:stunnel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/20"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:297"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"stunnel-3.26-1.7.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "stunnel"); } }

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2003-108.NASL
description	A vulnerability was discovered in stunnel versions 3.24 and earlier, as well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical file descriptor that can be used to hijack stunnel
last seen	2020-06-01
modified	2020-06-02
plugin id	14090
published	2004-07-31
reporter	This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/14090
title	Mandrake Linux Security Advisory : stunnel (MDKSA-2003:108)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:108. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14090); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2003-0740"); script_xref(name:"MDKSA", value:"2003:108"); script_name(english:"Mandrake Linux Security Advisory : stunnel (MDKSA-2003:108)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in stunnel versions 3.24 and earlier, as well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical file descriptor that can be used to hijack stunnel's services. All users are encouraged to upgrade to these packages. Note that the version of stunnel provided with Mandrake Linux 9.1 and above is not vulnerable to this problem." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=106260760211958&w=2 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=106260760211958&w=2" ); script_set_attribute( attribute:"solution", value:"Update the affected stunnel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:stunnel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"stunnel-3.26-1.1.90mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Redhat

advisories

rhsa

id	RHSA-2003:297

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Redhat

References