The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

According to the self-reported version in the server response header, the version of nginx installed on the remote host is 1.5.6 or higher, 1.6.x prior to 1.6.1, or 1.7.x prior to 1.7.4. It is, therefore, affected by a command injection vulnerability. A flaw exists in the function 'ngx_mail_smtp_starttls' within the file 'src/mail/ngx_mail_smtp_handler.c' whereby input to the STARTTLS command is not properly sanitized. This could allow a remote attacker in a privileged network position to obtain sensitive information by injecting commands into an SSL session. This issue is exploitable only when nginx is used as an SMTP proxy.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the self-reported version in the server response header, the version of nginx installed on the remote host is 1.5.6 or higher, 1.6.x prior to 1.6.1, or 1.7.x prior to 1.7.4. It is, therefore, affected by a command injection vulnerability.

A flaw exists in the function 'ngx_mail_smtp_starttls' within the file 'src/mail/ngx_mail_smtp_handler.c' whereby input to the STARTTLS command is not properly sanitized. This could allow a remote attacker in a privileged network position to obtain sensitive information by injecting commands into an SSL session.

Note that this issue is exploitable only when nginx is used as an SMTP proxy.

The nginx project reports :

Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.

ID	Name	Product	Family	Severity
98958	Nginx < 1.6.1 SMTP STARTTLS Command Injection	Web App Scanning	Component Vulnerability	high
98957	Nginx < 1.7.4 SMTP STARTTLS Command Injection	Web App Scanning	Component Vulnerability	high
77246	nginx < 1.6.1 / 1.7.4 SMTP STARTTLS Command Injection	Nessus	Web Servers	medium
77109	FreeBSD : nginx -- inject commands into SSL session vulnerability (ad747a01-1fee-11e4-8ff1-f0def16c5c1b)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2014-3556

high

Tenable Plugins

high

high

medium

medium