|
Date: Thu, 22 Dec 2016 11:03:01 -0500 From: <cve-assign@...re.org> To: <sylvain.sarmejeanne.ml@...il.com> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I reported a vulnerability in the Smack XMPP library where the security of > the TLS connection is not always enforced. By stripping the "starttls" > feature from the server response with a man-in-the-middle tool, an attacker > can force the client to authenticate in clear text even if the > "SecurityMode.required" TLS setting has been set. This is a race condition > issue so the attack will work after a few tries. > https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-security-advisory-2016-11-22 > https://issues.igniterealtime.org/browse/SMACK-739 > https://github.com/igniterealtime/Smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04 > https://github.com/igniterealtime/Smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b >> smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java >> smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java Use CVE-2016-10027. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYW/idAAoJEHb/MwWLVhi2Ti0QAIWkl59R8amXlPpJJjU4Ydbl 2ADm4yXOsRVnhy8QJ9u44ogteMANPZbuU006Q9ezeE2SIlLX1rcHeEsHy/nR9rNM us/Ip79ZIfDU1wuP1XjeIa1lO3Ldf0L2Wo9gX+JRaSyX+w0+WfIvmg40AtEehjfR 2hAPY3ALuiVw4y3TY6eRk2e03f765ZnvIqbTSO3ayRJ5NYLQlvI15+1WIGTOoH8o nputmqaDb2/jIQUoI2bpRVAnbijmN1CCOEDT0n1e/F8MmxYKpuTLnde98KhDriz+ o6OM5pYv0X1CnIb6RGzb2Brt2FUmqWvEAmnFoRknEy8UQ4iQWXRjoI/QQDMaI5ru WNaB2fUtplT4jQ2IeNLinFNwxbMYSaMrCWfNuIpuTANXXyF2PgKuYTA5JmwtJHkR pJuTRD+mfO1ybcyf/D678T3hldpC5NlMf9eRQDbB5h9viNLVBGhnulE/OPZpU+2R J3hvXAVpaGFHAQllBgSq8Ut7zsI5s7ZFoo2gWuHCA//dT+C6GjUs/h7w6wWK9iiU a932syiLLmT5HRCJwucEiwRk2KczVzMgai2FM1jSlDLoonw2nHqHe128rYcwGGQd DZeU/1e1ZYje1WLFCJzRuNGTesNwFdFhT/F3WLCrglANm1VfXuWyqtWMDSeInaf3 MWbq6ZtaZvw40COKoh8r =4pVQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.