CVE-2021-3618

EUVD-2021-26922
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
Affected Products (NVD)
VendorProductVersion
f5nginx
𝑥
< 1.21.0
sendmailsendmail
𝑥
< 8.17
vsftpd_projectvsftpd
𝑥
< 3.0.4
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nginx
bookworm
1.22.1-9
no-dsa
bullseye
1.18.0-6.1+deb11u3
no-dsa
bullseye (security)
1.18.0-6.1+deb11u3
fixed
buster
no-dsa
sid
1.26.0-3
fixed
stretch
no-dsa
trixie
1.26.0-3
fixed
sendmail
bookworm
8.17.1.9-2+deb12u2
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
8.18.1-6
fixed
stretch
no-dsa
trixie
8.18.1-6
fixed
vsftpd
bookworm
no-dsa
bullseye
no-dsa
buster
no-dsa
sid
vulnerable
stretch
no-dsa
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nginx
bionic
Fixed 1.14.0-0ubuntu1.10
released
focal
Fixed 1.18.0-0ubuntu1.3
released
hirsute
ignored
impish
Fixed 1.18.0-6ubuntu11.1
released
jammy
Fixed 1.18.0-6ubuntu14.1
released
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needed
xenial
Fixed 1.10.3-0ubuntu0.16.04.5+esm3
released
sendmail
bionic
needed
focal
needed
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needed
xenial
needs-triage
vsftpd
bionic
needed
focal
Fixed 3.0.5-0ubuntu0.20.04.1
released
hirsute
ignored
impish
ignored
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needed
xenial
needed
Common Weakness Enumeration
References
https://alpaca-attack.com/
https://bugzilla.redhat.com/show_bug.cgi?id=1975623
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html
https://alpaca-attack.com/
https://bugzilla.redhat.com/show_bug.cgi?id=1975623
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html