=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN092
_____________________________________________________________________

DATE                : 04/03/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running
                         Stunnel versions 4.21 up to and including 4.54.

======================================================================
https://www.stunnel.org/CVE-2013-1762.html
______________________________________________________________________


Title

A buffer overflow vulnerability due to incorrect integer conversion in
the NTLM authentication of the CONNECT protocol negotiation

Exploitability
The vulnerability is exploitable under the following conditions:

    Stunnel versions 4.21 until 4.54.
    Stunnel compiled as a 64-bit executable. Any 32-bit builds,
including pre-compiled Win32 binaries, are not vulnerable.
    Service configured in SSL client mode ("client = yes").
    CONNECT protocol negotiation enabled ("protocol = connect").
    NTLM authentication enabled ("protocolAuthentication = NTLM").
    The attacker able either to control the proxy server specified as a
      parameter of the "connect" option, or to perform MITM attacks on
      TCP sessions between stunnel and the proxy server.


Impact


The vulnerability may be exploited for arbitrary code execution. The
code is executed within the configured chroot directory, with
privileges of the configured user and group.


CVSS v2 Score
CVSS Base Score: 6.6
  Impact Subscore: 8.5
  Exploitability Subscore: 4.9
CVSS Temporal Score: 5.2
Overall CVSS Score: 5.2
CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:C/E:P/RL:O/RC:C)


Recommendation

Upgrade to stunnel 4.55, or disable the NTLM authentication.


Credits

    Vulnerability discovery: Mateusz Kocielski, LogicalTrust
    This report: Michal Trojnara

Timeline

    Initial release: 3 Mar 2013
    Last update:     3 Mar 2013


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================