Executive Summary

Summary
Title NSIS Inetc plug-in fails to validate SSL certificates
Informations
Name VU#894897 First vendor Publication 2015-03-20
Vendor VU-CERT Last vendor Modification 2015-03-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#894897

NSIS Inetc plug-in fails to validate SSL certificates

Original Release date: 20 Mar 2015 | Last revised: 23 Mar 2015

Overview

The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.

Description

Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains.

Impact

An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Only install software while connected to a trusted network

Because the Inetc plugin does not validate SSL certificates, any software installers that are NSIS-based should not be used while connected to a network that is either inherently untrusted, or one that has untrusted users on it.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
CERT/CCAffected-20 Mar 2015
DropboxAffected03 Mar 201520 Mar 2015
NullsoftAffected31 Jan 201125 Feb 2015
AVG Anti-virus SoftwareNot Affected25 Feb 201526 Feb 2015
Unify IncNot Affected25 Feb 201523 Mar 2015
7-Zip.orgUnknown25 Feb 201525 Feb 2015
AdobeUnknown25 Feb 201525 Feb 2015
AmazonUnknown25 Feb 201525 Feb 2015
AMDUnknown25 Feb 201525 Feb 2015
Debian GNU/LinuxUnknown25 Feb 201525 Feb 2015
DivX, Inc.Unknown25 Feb 201525 Feb 2015
EricssonUnknown25 Feb 201525 Feb 2015
FreeRADIUSUnknown25 Feb 201525 Feb 2015
GoogleUnknown25 Feb 201525 Feb 2015
Intel CorporationUnknown25 Feb 201525 Feb 2015
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base7.3AV:A/AC:M/Au:N/C:C/I:C/A:--
Temporal7.3E:H/RL:U/RC:C
Environmental7.3CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  • http://nsis.sourceforge.net
  • http://nsis.sourceforge.net/Inetc_plug-in
  • https://sourceforge.net/p/nsis/bugs/1022/
  • http://forums.winamp.com/showthread.php?p=3018645#post3018645

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2015-0941
  • Date Public:31 Jan 2011
  • Date First Published:20 Mar 2015
  • Date Last Updated:23 Mar 2015
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/894897

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-03-24 21:30:51
  • Multiple Updates
2015-03-23 17:25:20
  • Multiple Updates
2015-03-22 09:30:34
  • Multiple Updates
2015-03-21 00:24:28
  • Multiple Updates
2015-03-20 21:25:56
  • First insertion