Vulnerabilities > CVE-2016-2379 - Inadequate Encryption Strength vulnerability in Pidgin Mxit

047910
CVSS 8.8 - HIGH
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
low complexity
pidgin
CWE-326
nessus
NVD
Published: 2017-03-29
Updated: 2017-04-10

Summary

The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.

Vulnerable Configurations

Part Description Count
Application
Pidgin
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Brute Force
    In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
  • Encryption Brute Forcing
    An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-38.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-38 (Pidgin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Pidgin. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might send specially crafted data using the MXit protocol, possibly resulting in the remote execution of arbitrary code with the privileges of the process, a Denial of Service condition, or in leaking confidential information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96542
    published2017-01-17
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96542
    titleGLSA-201701-38 : Pidgin: Multiple vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201701-38.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(96542);
  script_version("3.5");
  script_cvs_date("Date: 2018/11/15 11:40:29");

  script_cve_id("CVE-2016-1000030", "CVE-2016-2365", "CVE-2016-2366", "CVE-2016-2367", "CVE-2016-2368", "CVE-2016-2369", "CVE-2016-2370", "CVE-2016-2371", "CVE-2016-2372", "CVE-2016-2373", "CVE-2016-2374", "CVE-2016-2375", "CVE-2016-2376", "CVE-2016-2377", "CVE-2016-2378", "CVE-2016-2379", "CVE-2016-2380", "CVE-2016-4323");
  script_xref(name:"GLSA", value:"201701-38");

  script_name(english:"GLSA-201701-38 : Pidgin: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201701-38
(Pidgin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pidgin. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker might send specially crafted data using the MXit
      protocol, possibly resulting in the remote execution of arbitrary code
      with the privileges of the process, a Denial of Service condition, or in
      leaking confidential information.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201701-38"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Pidgin users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=net-im/pidgin-2.11.0'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pidgin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"net-im/pidgin", unaffected:make_list("ge 2.11.0"), vulnerable:make_list("lt 2.11.0"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Pidgin");
}
  • NASL familyWindows
    NASL idPIDGIN_2_11_0.NASL
    descriptionThe version of Pidgin installed on the remote Windows host is prior to 2.11.0. It is, therefore, affected by multiple vulnerabilities : - A NULL pointer dereference flaw exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT data, to cause a denial of service. (CVE-2016-2365) - Multiple out-of-bounds read errors exist when handling the MXIT protocol. A remote attacker can exploit these, via crafted MXIT data, to cause a denial of service. (CVE-2016-2366, CVE-2016-2370) - An out-of-bounds read error exists when handling the MXIT protocol. A remote attacker can exploit this, via an invalid size for an avatar, to disclose memory contents or cause a denial of service. (CVE-2016-2367) - Multiple memory corruption issues exist when handling the MXIT protocol. A remote attacker can exploit these, via crafted MXIT data, to disclose memory contents or execute arbitrary code. (CVE-2016-2368) - A NULL pointer dereference flaw exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT packet starting with a NULL byte, to cause a denial of service. (CVE-2016-2369) - An out-of-bounds write error exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT data, to corrupt memory, resulting in the execution of arbitrary code. (CVE-2016-2371) - An out-of-bounds read error exists when handling the MXIT protocol. A remote attacker can exploit this, via an invalid size for a file transfer, to disclose memory contents or cause a denial of service. (CVE-2016-2372) - An out-of-bounds read error exists when handling the MXIT protocol. A remote attacker can exploit this, by sending an invalid mood, to cause a denial of service. (CVE-2016-2373) - An out-of-bounds write error exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT MultiMX messages, to disclose memory contents or execute arbitrary code. (CVE-2016-2374) - An out-of-bounds read error exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT contact information, to disclose memory contents. (CVE-2016-2375) - A buffer overflow condition exists when handling the MXIT protocol. A remote attacker can exploit this, via a crafted packet having an invalid size, to execute arbitrary code. (CVE-2016-2376) - An out-of-bounds write error exists when handling the MXIT protocol. A remote attacker can exploit this, via a negative content-length response to an HTTP request, to cause a denial of service. (CVE-2016-2377) - A buffer overflow condition exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted data using negative length values, to cause a denial of service. (CVE-2016-2378) - A flaw exists in MXIT due to using weak cryptography when encrypting a user password. A man-in-the-middle attacker able to access login messages can exploit this to impersonate the user. (CVE-2016-2379) - An out-of-bounds read error exists when handling the MXIT protocol. A remote attacker can exploit this, via a crafted local message, to disclose memory contents. (CVE-2016-2380) - A directory traversal flaw exists when handling the MXIT protocol. A remote attacker can exploit this, via crafted MXIT data using an invalid file name for a splash image, to overwrite files. (CVE-2016-4323) - An unspecified vulnerability exists due to X.509 certificates not being properly imported when using GnuTLS. No other details are available.
    last seen2020-06-01
    modified2020-06-02
    plugin id91784
    published2016-06-23
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91784
    titlePidgin < 2.11.0 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(91784);
  script_version("1.9");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id(
    "CVE-2016-2365",
    "CVE-2016-2366",
    "CVE-2016-2367",
    "CVE-2016-2368",
    "CVE-2016-2369",
    "CVE-2016-2370",
    "CVE-2016-2371",
    "CVE-2016-2372",
    "CVE-2016-2373",
    "CVE-2016-2374",
    "CVE-2016-2375",
    "CVE-2016-2376",
    "CVE-2016-2377",
    "CVE-2016-2378",
    "CVE-2016-2379",
    "CVE-2016-2380",
    "CVE-2016-4323"
  );

  script_name(english:"Pidgin < 2.11.0 Multiple Vulnerabilities");
  script_summary(english:"Performs a version check.");

  script_set_attribute(attribute:"synopsis", value:
"An instant messaging client installed on the remote host is affected
by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Pidgin installed on the remote Windows host is prior to 
2.11.0. It is, therefore, affected by multiple vulnerabilities :

  - A NULL pointer dereference flaw exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT data, to cause a denial of service.
    (CVE-2016-2365)

  - Multiple out-of-bounds read errors exist when handling
    the MXIT protocol. A remote attacker can exploit these,
    via crafted MXIT data, to cause a denial of service.
    (CVE-2016-2366, CVE-2016-2370)

  - An out-of-bounds read error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    an invalid size for an avatar, to disclose memory
    contents or cause a denial of service. (CVE-2016-2367)

  - Multiple memory corruption issues exist when handling
    the MXIT protocol. A remote attacker can exploit these,
    via crafted MXIT data, to disclose memory contents or
    execute arbitrary code. (CVE-2016-2368)

  - A NULL pointer dereference flaw exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT packet starting with a NULL byte, to cause
    a denial of service. (CVE-2016-2369)

  - An out-of-bounds write error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT data, to corrupt memory, resulting in the
    execution of arbitrary code. (CVE-2016-2371)

  - An out-of-bounds read error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    an invalid size for a file transfer, to disclose memory
    contents or cause a denial of service. (CVE-2016-2372)

  - An out-of-bounds read error exists when handling the
    MXIT protocol. A remote attacker can exploit this, by
    sending an invalid mood, to cause a denial of service.
    (CVE-2016-2373)

  - An out-of-bounds write error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT MultiMX messages, to disclose memory
    contents or execute arbitrary code. (CVE-2016-2374)

  - An out-of-bounds read error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT contact information, to disclose memory
    contents. (CVE-2016-2375)

  - A buffer overflow condition exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    a crafted packet having an invalid size, to execute
    arbitrary code. (CVE-2016-2376)

  - An out-of-bounds write error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    a negative content-length response to an HTTP request,
    to cause a denial of service. (CVE-2016-2377)

  - A buffer overflow condition exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted data using negative length values, to cause a
    denial of service. (CVE-2016-2378)

  - A flaw exists in MXIT due to using weak cryptography
    when encrypting a user password. A man-in-the-middle
    attacker able to access login messages can exploit this
    to impersonate the user. (CVE-2016-2379)

  - An out-of-bounds read error exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    a crafted local message, to disclose memory contents.
    (CVE-2016-2380)

  - A directory traversal flaw exists when handling the
    MXIT protocol. A remote attacker can exploit this, via
    crafted MXIT data using an invalid file name for a
    splash image, to overwrite files. (CVE-2016-4323)

  - An unspecified vulnerability exists due to X.509
    certificates not being properly imported when using
    GnuTLS. No other details are available.");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=91");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=92");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=93");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=94");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=95");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=96");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=97");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=98");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=99");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=100");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=101");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=102");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=103");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=104");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=105");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=106");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=107");
  script_set_attribute(attribute:"see_also", value:"http://www.pidgin.im/news/security/?id=108");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Pidgin version 2.11.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2368");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pidgin:pidgin");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("pidgin_installed.nasl");
  script_require_keys("SMB/Pidgin/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

path = get_kb_item_or_exit("SMB/Pidgin/Path");
version = get_kb_item_or_exit("SMB/Pidgin/Version");
fixed_version = '2.11.0';

if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)
{
  port = get_kb_item("SMB/transport");
  if (empty_or_null(port)) port = 445;

  report =
    '\n  Path               : ' + path +
    '\n  Installed version  : ' + version +
    '\n  Fixed version      : ' + fixed_version + '\n';

  security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "Pidgin", version, path);

References