Five vulnerabilities fixed in the universal chat client Pidgin

Posted: October 24, 2014 in Vulnerabilities
Tags: , , ,


PidginFive new vulnerabilities in universal instant messenger client

There are five vulnerabilities fixed in the client messaging Pidgin. Administrators are advised to update to version 2.10.10.

The program for instant messaging on the Internet Pidgin updated to version 2.10.10. Administrators are advised to install the updates immediately because they fixed five vulnerabilities.

Vulnerability CVE-2014-3698 allows attackers to steal information from the memory process in XMPP-messages. Vulnerability CVE-2014-3697 possible to change arbitrary files when connecting a specially designed theme emoticons (only in Windows). Vulnerabilities CVE-2014-3696 and CVE-2014-3695 could lead to abnormal termination of the process,  and CVE-2014-3694 leads to errors when checking SSL-certificates.

Note that Pidgin is a universal instant messenger that allows simultaneously log in to accounts on different networks to communicate. This means that the user can interact with friends on MSN, while talking to Google Talk and rewriting chatting Yahoo!, ICQ, SILC, SIMPLE, MXit, Zephyr, and etc. With additional plug-ins Pidgin can support more services.

New vulnerabilities in the universal chat client Pidgin

Danger level: 1, 4 – average; 1, 2, 3, 5 – low
Availability Corrections: Yes
Number of vulnerabilities: 5

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8
CVSSv2 Rating: (AV: N / AC: M / Au: N / C: P / I: P / A: N / E: U / RL: O / RC: C) = Base: 5.8 / Temporal: 4.3
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: C / I: N / A: N / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8

CVE ID: CVE-2014-3696
CVE ID: CVE-2014-3694
CVE ID: CVE-2014-3695
CVE ID: CVE-2014-3697
CVE ID: CVE-2014-3698

Vector of operation: Remote
Affected products: Pidgin
Affected versions: Pidgin to version 2.10.10

Solution: Install the latest version 2.10.10 from the manufacturer.

Pidgin chat client

1. Security Bypass in Pidgin

Impact: Security Bypass

Description: Insufficient SSL certificate validation

[CVE-2014-3694] The vulnerability leads to errors when checking SSL-certificates.

The vulnerability is caused due to an error in plugins SSL / TLS what are not properly check the intermediate certificates. A remote user can create a fake certificate which is trusted for Pidgin for any arbitrary domain.

2. Denial of service in Pidgin

Impact: Denial of service

Description: Remote crash parsing malformed MXit emoticon

[CVE-2014-3695] The vulnerability allows a remote user to cause a denial of service.

The vulnerability is caused due to an error in the processing of emoticons. A remote user can cause denial of service by sending a smiley face with an overly large length value.

3. Denial of service in Pidgin

Impact: Denial of service

Description: Remote crash parsing malformed Groupwise message

[CVE-2014-3696] The vulnerability allows a remote user to cause a denial of service.

The vulnerability is caused due to an error in the allocation of large amounts of memory in many places in the user interface. This can be exploited via a MitM-attack to crash the application.

4. Unauthorized modification of data in Pidgin

Impact: Unauthorized modification of data

Description: Malicious smiley themes could alter arbitrary files
[CVE-2014-3697] The vulnerability allows a remote user to manipulate certain data.

The vulnerability is caused due to an error while installing smiley theme. This can be exploited via a specially crafted themes put any file to any location on the system or modify existing files.

Note: Successful exploitation requires that the victim has installed a malicious object via drag and drop and use the operating system Windows.

5. Disclosure of sensitive data in Pidgin

Impact: Disclosure of sensitive data

Description: Potential information leak from XMPP

[CVE-2014-3698 ] The vulnerability allows a remote user to gain access to sensitive data.

The vulnerability is caused due to an error in the processing of XMPP messages. This can be exploited via a specially crafted XMPP messages to disclose the contents of arbitrary memory location.

Solution: Install the latest version 2.10.10 from the manufacturer.

Links:

http://pidgin.im/news/security/?id=86
http://pidgin.im/news/security/?id=87
http://pidgin.im/news/security/?id=88
http://pidgin.im/news/security/?id=89
http://pidgin.im/news/security/?id=90


 

PidginManufacturer URL: http://pidgin.im/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s