Vulnerabilities > CVE-2010-1192 - Cryptographic Issues vulnerability in Stafford.Uklinux Libesmtp
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_LIBESMTP-100430.NASL description libesmtp did not properly handle wildcards and embedded null characters in the Common Name of X.509 certificates (CVE-2010-1192 / CVE-2010-1194). This has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 50929 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50929 title SuSE 11 Security Update : libesmtp (SAT Patch Number 2390) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(50929); script_version("1.7"); script_cvs_date("Date: 2019/10/25 13:36:39"); script_cve_id("CVE-2010-1192", "CVE-2010-1194"); script_name(english:"SuSE 11 Security Update : libesmtp (SAT Patch Number 2390)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing a security update." ); script_set_attribute( attribute:"description", value: "libesmtp did not properly handle wildcards and embedded null characters in the Common Name of X.509 certificates (CVE-2010-1192 / CVE-2010-1194). This has been fixed." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=585393" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-1192.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2010-1194.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 2390."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libesmtp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (pl) audit(AUDIT_OS_NOT, "SuSE 11.0"); flag = 0; if (rpm_check(release:"SLES11", sp:0, reference:"libesmtp-1.0.4-157.15.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-195.NASL description Multiple vulnerabilities has been found and corrected in libesmtp : libESMTP, probably 1.0.4 and earlier, does not properly handle a \ last seen 2020-06-01 modified 2020-06-02 plugin id 49742 published 2010-10-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49742 title Mandriva Linux Security Advisory : libesmtp (MDVSA-2010:195) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2010:195. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(49742); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:53"); script_cve_id("CVE-2010-1192", "CVE-2010-1194"); script_bugtraq_id(38528, 38538); script_xref(name:"MDVSA", value:"2010:195"); script_name(english:"Mandriva Linux Security Advisory : libesmtp (MDVSA-2010:195)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in libesmtp : libESMTP, probably 1.0.4 and earlier, does not properly handle a \'\0\' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2010-1192). The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName (CVE-2010-1194). Packages for 2008.0 and 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64esmtp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64esmtp5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64esmtp5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libesmtp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libesmtp5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libesmtp5-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1"); script_set_attribute(attribute:"patch_publication_date", value:"2010/10/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64esmtp5-1.0.4-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64esmtp5-devel-1.0.4-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libesmtp5-1.0.4-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libesmtp5-devel-1.0.4-1.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64esmtp-devel-1.0.4-4.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64esmtp5-1.0.4-4.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libesmtp-devel-1.0.4-4.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libesmtp5-1.0.4-4.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64esmtp-devel-1.0.4-5.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"x86_64", reference:"lib64esmtp5-1.0.4-5.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libesmtp-devel-1.0.4-5.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.1", cpu:"i386", reference:"libesmtp5-1.0.4-5.1mdv2009.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", cpu:"x86_64", reference:"lib64esmtp-devel-1.0.4-6.1mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", cpu:"x86_64", reference:"lib64esmtp5-1.0.4-6.1mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", cpu:"i386", reference:"libesmtp-devel-1.0.4-6.1mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.0", cpu:"i386", reference:"libesmtp5-1.0.4-6.1mdv2010.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64esmtp-devel-1.0.4-8.1mdv2010.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64esmtp5-1.0.4-8.1mdv2010.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libesmtp-devel-1.0.4-8.1mdv2010.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libesmtp5-1.0.4-8.1mdv2010.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBESMTP-100430.NASL description libesmtp did not properly handle wildcards and embedded null characters in the Common Name of X.509 certificates (CVE-2010-1192, CVE-2010-1194). last seen 2020-06-01 modified 2020-06-02 plugin id 46250 published 2010-05-07 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46250 title openSUSE Security Update : libesmtp (openSUSE-SU-2010:0220-1) NASL family SuSE Local Security Checks NASL id SUSE_11_2_LIBESMTP-100430.NASL description libesmtp did not properly handle wildcards and embedded null characters in the Common Name of X.509 certificates (CVE-2010-1192, CVE-2010-1194). last seen 2020-06-01 modified 2020-06-02 plugin id 46251 published 2010-05-07 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46251 title openSUSE Security Update : libesmtp (openSUSE-SU-2010:0220-1) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBESMTP-100430.NASL description libesmtp did not properly handle wildcards and embedded null characters in the Common Name of X.509 certificates (CVE-2010-1192, CVE-2010-1194). last seen 2020-06-01 modified 2020-06-02 plugin id 46249 published 2010-05-07 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46249 title openSUSE Security Update : libesmtp (openSUSE-SU-2010:0220-1)
References
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
- http://www.openwall.com/lists/oss-security/2010/03/03/6
- http://www.openwall.com/lists/oss-security/2010/03/03/6
- http://www.openwall.com/lists/oss-security/2010/03/09/3
- http://www.openwall.com/lists/oss-security/2010/03/09/3
- http://www.vupen.com/english/advisories/2010/1107
- http://www.vupen.com/english/advisories/2010/1107