Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Dec 2016 22:00:12 +0100
From: Sylvain SARMEJEANNE <sylvain.sarmejeanne.ml@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Smack: TLS SecurityMode.required not always enforced,
 leading to striptls attack

Hello,

I reported a vulnerability in the Smack XMPP library where the security of
the TLS connection is not always enforced. By stripping the "starttls"
feature from the server response with a man-in-the-middle tool, an attacker
can force the client to authenticate in clear text even if the
"SecurityMode.required" TLS setting has been set. This is a race condition
issue so the attack will work after a few tries.

The vulnerability affects at least all 4.1.x versions and is fixed in Smack
4.1.9.

References:
https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-
security-advisory-2016-11-22
https://issues.igniterealtime.org/browse/SMACK-739
https://github.com/igniterealtime/Smack/commit/
a9d5cd4a611f47123f9561bc5a81a4555fe7cb04
https://github.com/igniterealtime/Smack/commit/
059ee99ba0d5ff7758829acf5a9aeede09ec820b

Could you assign a CVE for this?
Thanks!

Sylvain

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ