Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Jan 2016 20:39:35 +0000
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-0756: Prosody XMPP server: insecure dialback key
 generation/validation algorithm

A vulnerability has been found and fixed in the Prosody XMPP server.

CVE-2016-0756
-------------

Project
  ~ Prosody XMPP server
URL
  ~ https://prosody.im/
CVE
  ~ CVE-2016-0756
Date
  ~ 2016-01-27

Affected versions
  ~ All versions prior to 0.9.10
Affected Prosody modules
  ~ mod_dialback
Fixed versions
  ~ 0.9.10, 0.10 nightly build 201, trunk nightly build 612

Description
-----------

The flaw allows a malicious XMPP server to impersonate the vulnerable
domain to any
XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and
successfully impersonate any vulnerable server on the network.

Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback
disabled are not affected.

Servers with s2s_secure_auth enabled will reject incoming
impersonation attempts (that is,
servers attempting to impersonate other domains will be rejected), but
may still be impersonated to other servers on the network.

Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled
list in the global
section of your config file, and restart Prosody:

   modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers
that do not have trusted
TLS certificates.

Advice
------

All users should upgrade to 0.9.10, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.

Credits
-------

The flaw was discovered and responsibly disclosed to us by Thijs Alkemade.

Links
-------

 - https://prosody.im/security/advisory_20160127/
 - http://blog.prosody.im/prosody-0-9-10-released/
 - https://prosody.im/issues/issue/596
 - https://hg.prosody.im/0.9/rev/5c6e78dc1864

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.