Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 10 Oct 2015 20:55:52 -0700
From: Christine Dodrill <me@...istine.website>
To: oss-security@...ts.openwall.com
Subject: ircd-ratbox and Derivatives OOM by MONITOR Command

Elemental-IRCd Security Release: 2015-10-07
===========================================

CVE-2015-5290

Elemental-IRCd reference code: e50b0d59-f3c5-4472-a3cd-e2e07731417c

Permanent link: http://elemental-ircd.com/security/e50b0d59-f3c5-4472-a3cd-e2e07731417c

Distribution of this document is unlimited and encouraged as long as it
remains unchanged.

## Summary

Elemental-IRCd is an Internet Relay Chat (IRC / RFC 1459) daemon intended
for stable, secure deployments for both private and public-facing users. It
provides quick messaging across servers, even when deployed on a global
scale. One of the recent goals of the project has been to limit memory
leaks and test functionality to ensure quality for all users.

While looking for resource leaks and other things to test inside
Elemental-IRCd git master, we stumbled on an unfortunate programming error
in how the MONITOR command was handled that can lead to a system
out-of-memory event if an attacker hammers at the MONITOR command over and
over.

## Affected Daemons

In our testing, the following IRC daemons were affected:

ircd-ratbox 3.0.8, SVN trunk and older
charybdis 3.5-dev and older
ircd-seven 1.1.3 and older
Elemental-IRCd 6.6.2 and older
Other derivatives of these daemons will be affected as well unless for some
reason they came across and fixed that issue before this release.

## Vulnerability Information

Public release date: 2015-10-07
CVE: CVE-2015-5290
CVSS v3:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:W/RC:C/CR:H/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MC:L/MI:N/MA:H
CVSS score: 8.8 / 8.6 / 9.5
Attack complexity: Trivial (less than 30 lines of code)

## Notes

If applying these patches is somehow impossible, the attack can be
completely mitigated by unloading the m_monitor.so module using the
following command provided you have permission to load and unload modules:

    /MODUNLOAD m_monitor.so

The required privilege to do this is defined as the admin flag inside the
flags section of the relevant operator{} block in the configuration
(OLD:O:Line).

This patch can be applied at runtime and will automatically garbage-collect
any memory that has been leaked in the past.

A full set of technical details will be released as soon as it is confirmed
that major IRC networks affected by this have been patched.

---

Please see the above permanent link for more information, including the
links to patches for your preferred daemon.

-- 

            Christine Dodrill <me@...istine.website>
       CF54 AAE3 62BF 9C9F B79F  AA18 799F 9134 8118 1111
                 https://christine.website

   "No matter where you are... everyone is always connected."
                        れいん いわくら

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.