Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  5 Sep 2016 18:45:19 -0400 (EDT)
From: cve-assign@...re.org
To: anarcat@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> inspircd published 2.0.23 that fixes an issue with SASL
> authentication. The details are here:
> 
> http://www.inspircd.org/2016/09/03/v2023-released.html
> 
> All versions are affected.

>> This release fixes a serious security vulnerability in m_sasl in
>> combination with any services that support SASL EXTERNAL. To be
>> vulnerable you must have m_sasl loaded, and have services which
>> support SASL EXTERNAL authentication.
>> 
>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.

>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a

>> https://www.irc.wiki/InspIRCd

>> InspIRCd is an IRC daemon written entirely from scratch, it is one
>> of the few IRC daemons to be written in C++

Use CVE-2016-7142 for this issue only in the InspIRCd codebase.


>> This bug appears more widespread than just InspIRCd, and seems to
>> affect most or all other implementations of SASL EXTERNAL, including
>> Charybdis and UnrealIRCd.


> It seems to also affect Charybdis, which fixed the issue in the
> upcoming 3.5.3 release:
>
> https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824

Use CVE-2016-7143 for this issue only in the Charybdis codebase.


>> https://forums.unrealircd.org/viewtopic.php?f=1&t=8588
>> 
>> Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
>> 
>> A security issue was detected in a number of IRCd's, including
>> UnrealIRCd, regarding the way SASL is implemented.
>> 
>> An attacker can send an SSL fingerprint of his choice to services when
>> doing SASL authentication. An attacker can compromise a services
>> account if the user has an SSL fingerprint stored in services.
>> 
>> https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf86bc50ba1a34a766

Use CVE-2016-7144 for this issue only in the UnrealIRCd codebase.

(We realize that the file is m_sasl.c, the function is m_authenticate,
and the array is parv in both the Charybdis case and the UnrealIRCd
case, but we decided not to try to share a CVE ID between these two
products.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXzfUcAAoJEHb/MwWLVhi2+TUQAJiZ9E61fr6h/APTcz7CWDAJ
Hi1ixYOqZAVnGNevJ2Q7+kmg9h872ftwX7euCmMoLFBHPILaBhELbbnw5N1wa09u
PfrQFf/3D0BwrKd50Pnu/N5+5PRJ6Oy7Oa5aaf1vdeQbbaQbO2P6YV5MrcB/NJoe
Lh5GoLM3oqGS5qde+ep3RKLeOixu2KqopaP9JAH1e2a25m0Wva92tQVYqgGIxROa
PPiRRRXFDbm8j9VZ4D4VBHlJhdjwjw85OT/WNxXx3wBbeJwdtI+1puS5OEhQFGsl
Eh993vGHyTCvw2obVn2YnIng1qHfkdfe5lxjJBbE5/a6yFmNQAS/zUURBL01DPlI
uhWYablVV9Vv8++gaezGtJd1OI60Kl0vPch44yzvDOeI5sQHjQNMMwQ2oe+gAlcv
grrkVqtKd2hkNBh1NATA9MoTIErYZsWZCddGPo50IqHyqaZ5eyJaj0JELOF8E7q/
2oe0UWuXcvcD+8oAZvbEVJuBUI+ZV+d6wcL4tEOcEG4gL5qDh0hOi8aY/u5zi+fb
gLcjoBW9TzlGZy3f0CZ2N0s3v2xFai19JdSLzRM+TXzFHf4PQ5MoexWgk10UPdsk
9OJXqTl0LqEMqTHPOLXw08mhgWaU55vRI3wCjnUyTY0GdmUZpLy3R8yWCJk5RUmy
g5+Do/FYzRkh/k/3L73U
=c9S9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.