Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon,  5 Sep 2016 18:45:19 -0400 (EDT)
From: cve-assign@...re.org
To: anarcat@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE ID request: certificate spoofing through crafted SASL message in inspircd, charybdis

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> inspircd published 2.0.23 that fixes an issue with SASL
> authentication. The details are here:
> 
> http://www.inspircd.org/2016/09/03/v2023-released.html
> 
> All versions are affected.

>> This release fixes a serious security vulnerability in m_sasl in
>> combination with any services that support SASL EXTERNAL. To be
>> vulnerable you must have m_sasl loaded, and have services which
>> support SASL EXTERNAL authentication.
>> 
>> This vulnerability allows any attacker to spoof certificate
>> fingerprints via crafted SASL messages to the IRCd. This allows any
>> user to login as any other user that they know the certificate
>> fingerprint of, and that user has services configured to accept SASL
>> EXTERNAL login requests for.

>> https://github.com/inspircd/inspircd/commit/74fafb7f11b06747f69f182ad5e3769b665eea7a

>> https://www.irc.wiki/InspIRCd

>> InspIRCd is an IRC daemon written entirely from scratch, it is one
>> of the few IRC daemons to be written in C++

Use CVE-2016-7142 for this issue only in the InspIRCd codebase.


>> This bug appears more widespread than just InspIRCd, and seems to
>> affect most or all other implementations of SASL EXTERNAL, including
>> Charybdis and UnrealIRCd.


> It seems to also affect Charybdis, which fixed the issue in the
> upcoming 3.5.3 release:
>
> https://github.com/charybdis-ircd/charybdis/commit/818a3fda944b26d4814132cee14cfda4ea4aa824

Use CVE-2016-7143 for this issue only in the Charybdis codebase.


>> https://forums.unrealircd.org/viewtopic.php?f=1&t=8588
>> 
>> Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
>> 
>> A security issue was detected in a number of IRCd's, including
>> UnrealIRCd, regarding the way SASL is implemented.
>> 
>> An attacker can send an SSL fingerprint of his choice to services when
>> doing SASL authentication. An attacker can compromise a services
>> account if the user has an SSL fingerprint stored in services.
>> 
>> https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf86bc50ba1a34a766

Use CVE-2016-7144 for this issue only in the UnrealIRCd codebase.

(We realize that the file is m_sasl.c, the function is m_authenticate,
and the array is parv in both the Charybdis case and the UnrealIRCd
case, but we decided not to try to share a CVE ID between these two
products.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXzfUcAAoJEHb/MwWLVhi2+TUQAJiZ9E61fr6h/APTcz7CWDAJ
Hi1ixYOqZAVnGNevJ2Q7+kmg9h872ftwX7euCmMoLFBHPILaBhELbbnw5N1wa09u
PfrQFf/3D0BwrKd50Pnu/N5+5PRJ6Oy7Oa5aaf1vdeQbbaQbO2P6YV5MrcB/NJoe
Lh5GoLM3oqGS5qde+ep3RKLeOixu2KqopaP9JAH1e2a25m0Wva92tQVYqgGIxROa
PPiRRRXFDbm8j9VZ4D4VBHlJhdjwjw85OT/WNxXx3wBbeJwdtI+1puS5OEhQFGsl
Eh993vGHyTCvw2obVn2YnIng1qHfkdfe5lxjJBbE5/a6yFmNQAS/zUURBL01DPlI
uhWYablVV9Vv8++gaezGtJd1OI60Kl0vPch44yzvDOeI5sQHjQNMMwQ2oe+gAlcv
grrkVqtKd2hkNBh1NATA9MoTIErYZsWZCddGPo50IqHyqaZ5eyJaj0JELOF8E7q/
2oe0UWuXcvcD+8oAZvbEVJuBUI+ZV+d6wcL4tEOcEG4gL5qDh0hOi8aY/u5zi+fb
gLcjoBW9TzlGZy3f0CZ2N0s3v2xFai19JdSLzRM+TXzFHf4PQ5MoexWgk10UPdsk
9OJXqTl0LqEMqTHPOLXw08mhgWaU55vRI3wCjnUyTY0GdmUZpLy3R8yWCJk5RUmy
g5+Do/FYzRkh/k/3L73U
=c9S9
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.