CVE-2021-3618
Published: 23 March 2022
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
Notes
| Author | Note |
|---|---|
| mdeslaur | the mail proxy mechanisms aren't included in nginx.conf by default |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nginx Launchpad, Ubuntu, Debian |
bionic |
Released
(1.14.0-0ubuntu1.10)
|
| focal |
Released
(1.18.0-0ubuntu1.3)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Released
(1.18.0-6ubuntu11.1)
|
|
| jammy |
Released
(1.18.0-6ubuntu14.1)
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| lunar |
Not vulnerable
(1.22.0-1ubuntu1)
|
|
| mantic |
Not vulnerable
(1.22.0-1ubuntu1)
|
|
| noble |
Not vulnerable
(1.22.0-1ubuntu1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(1.21.0)
|
|
| xenial |
Released
(1.10.3-0ubuntu0.16.04.5+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: http://hg.nginx.org/nginx/rev/ec1071830799 |
||
|
sendmail Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needed)
|
|
| lunar |
Not vulnerable
(8.17.1.9-1)
|
|
| mantic |
Not vulnerable
(8.17.1.9-1)
|
|
| noble |
Not vulnerable
(8.17.1.9-1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(8.16.1-1)
|
|
| xenial |
Needs triage
|
|
|
vsftpd Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(3.0.5-0ubuntu0.20.04.1)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(3.0.5-0ubuntu1)
|
|
| kinetic |
Not vulnerable
(3.0.5-0ubuntu1)
|
|
| lunar |
Not vulnerable
(3.0.5-0ubuntu1)
|
|
| mantic |
Not vulnerable
(3.0.5-0ubuntu1)
|
|
| noble |
Not vulnerable
(3.0.5-0ubuntu1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(3.0.4)
|
|
| xenial |
Needed
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.4 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
References
- https://security.appspot.com/vsftpd/Changelog.txt
- https://alpaca-attack.com/
- https://marc.info/?l=sendmail-announce&m=159394546814125&w=2
- https://lists.exim.org/lurker/message/20210609.200324.f0e073ed.el.html
- https://ubuntu.com/security/notices/USN-5371-1
- https://ubuntu.com/security/notices/USN-5371-2
- https://ubuntu.com/security/notices/USN-6379-1
- https://www.cve.org/CVERecord?id=CVE-2021-3618
- NVD
- Launchpad
- Debian