A few security vulnerabilities have been discovered in STunnel. These vulnerabilities range from remote execution of arbitrary code, to overwriting of system files.
Credit:
The information has been provided by Brian Hatch and Lez.
Vulnerable systems:
STunnel version 3.8
STunnel version prior to 3.9
Immune systems:
STunnel version 3.9 and above
Several vulnerabilities have been reported in STunnel:
1) STunnel-3.8 and previous did not properly seed the PRNG.
This could lead to weak encryption on machines that lack /dev/urandom such as Solaris and Windows. BSDs and Linux are not affected.
2) STunnel-3.8 and previous had insecure PID file creation, and was thus vulnerable to symlink attacks.
The ability to overwrite any file on the system - since STunnel is usually used to bind low ports, STunnel is usually run as root, and this has very damaging potential.
3) STunnel-3.8p4 and previous were affected by a format string bug. (See below for more information)
4) STunnel-3.8p4 and previous was not entirely thread-safe.
Only informational counters were affected by this, nothing security or functional related.
Solution:
STunnel users should upgrade to STunnel version 3.9 or later immediately.
Stunnel-3.10 is slated for release soon. It is a functional release, and does not contain any additional security related changes.
Additional details on the format bug vulnerability:
As described above STunnel suffers from a format string vulnerability. If a user can pass any string that is written to the log file, she can exploit this vulnerability with carefully formatted format strings (with %n in it).
When debugging is turned on (-d 7), the username that is looked up via ident is written to the log file. Therefore, if the client can manipulate its ident username, she can completely compromise the host running STunnel. In another case, when STunnel's native smtp support and debugging is turned on, it's exploitable, too. This is of course not a complete list of exploit methods; there may be many more.
