Five new vulnerabilities in universal instant messenger client

There are five vulnerabilities fixed in the client messaging Pidgin. Administrators are advised to update to version 2.10.10.

The program for instant messaging on the Internet Pidgin updated to version 2.10.10. Administrators are advised to install the updates immediately because they fixed five vulnerabilities.

Vulnerability CVE-2014-3698 allows attackers to steal information from the memory process in XMPP-messages. Vulnerability CVE-2014-3697 possible to change arbitrary files when connecting a specially designed theme emoticons (only in Windows). Vulnerabilities CVE-2014-3696 and CVE-2014-3695 could lead to abnormal termination of the process, and CVE-2014-3694 leads to errors when checking SSL-certificates.

Note that Pidgin is a universal instant messenger that allows simultaneously log in to accounts on different networks to communicate. This means that the user can interact with friends on MSN, while talking to Google Talk and rewriting chatting Yahoo!, ICQ, SILC, SIMPLE, MXit, Zephyr, and etc. With additional plug-ins Pidgin can support more services.

New vulnerabilities in the universal chat client Pidgin

Danger level: 1, 4 – average; 1, 2, 3, 5 – low

Availability Corrections: Yes

Number of vulnerabilities: 5

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: P / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8

CVSSv2 Rating: (AV: N / AC: M / Au: N / C: P / I: P / A: N / E: U / RL: O / RC: C) = Base: 5.8 / Temporal: 4.3

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: C / I: N / A: N / E: U / RL: O / RC: C) = Base: 7.8 / Temporal: 5.8

CVE ID: CVE-2014-3696

CVE ID: CVE-2014-3694

CVE ID: CVE-2014-3695

CVE ID: CVE-2014-3697

CVE ID: CVE-2014-3698

Vector of operation: Remote

Affected products: Pidgin

Affected versions: Pidgin to version 2.10.10

Solution: Install the latest version 2.10.10 from the manufacturer.

1. Security Bypass in Pidgin

Impact: Security Bypass

Description: Insufficient SSL certificate validation

[CVE-2014-3694] The vulnerability leads to errors when checking SSL-certificates.

The vulnerability is caused due to an error in plugins SSL / TLS what are not properly check the intermediate certificates. A remote user can create a fake certificate which is trusted for Pidgin for any arbitrary domain.

2. Denial of service in Pidgin

Impact: Denial of service

Description: Remote crash parsing malformed MXit emoticon

[CVE-2014-3695] The vulnerability allows a remote user to cause a denial of service.

The vulnerability is caused due to an error in the processing of emoticons. A remote user can cause denial of service by sending a smiley face with an overly large length value.

3. Denial of service in Pidgin

Impact: Denial of service

Description: Remote crash parsing malformed Groupwise message

[CVE-2014-3696] The vulnerability allows a remote user to cause a denial of service.

The vulnerability is caused due to an error in the allocation of large amounts of memory in many places in the user interface. This can be exploited via a MitM-attack to crash the application.

4. Unauthorized modification of data in Pidgin

Impact: Unauthorized modification of data

Description: Malicious smiley themes could alter arbitrary files

[CVE-2014-3697] The vulnerability allows a remote user to manipulate certain data.

The vulnerability is caused due to an error while installing smiley theme. This can be exploited via a specially crafted themes put any file to any location on the system or modify existing files.

Note: Successful exploitation requires that the victim has installed a malicious object via drag and drop and use the operating system Windows.

5. Disclosure of sensitive data in Pidgin

Impact: Disclosure of sensitive data

Description: Potential information leak from XMPP

[CVE-2014-3698 ] The vulnerability allows a remote user to gain access to sensitive data.

The vulnerability is caused due to an error in the processing of XMPP messages. This can be exploited via a specially crafted XMPP messages to disclose the contents of arbitrary memory location.

Solution: Install the latest version 2.10.10 from the manufacturer.

Links:

http://pidgin.im/news/security/?id=86

http://pidgin.im/news/security/?id=87

http://pidgin.im/news/security/?id=88

http://pidgin.im/news/security/?id=89

http://pidgin.im/news/security/?id=90

Manufacturer URL: http://pidgin.im/