[Unreal-users] SSL Heartbleed security issue & UnrealIRCd
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
[Unreal-users] SSL Heartbleed security issue & UnrealIRCd
|
From: Bram M. <sy...@un...> - 2014-04-08 17:35:35
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all, A serious issue in OpenSSL was reported yesterday, the so called 'Heartbleed' bug (CVE-2014-0160). This bug is very serious because it gives remote users the ability to read highly sensitive data from memory from programs using OpenSSL. This includes private SSL keys, passwords, etc. There's a lot of media attention regarding this bug, and a lot of attention from hackers. It's likely that there is or very soon will be an active exploit available. We therefore suggest to take this matter seriously and not delay fixing it (IF you are affected, read on..). UNREALIRCD & HEARTBLEED ======================== UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So if you are using an UnrealIRCd version with SSL support then you may be vulnerable to this serious security issue. Note that even if you are not actively using SSL/TLS, even if you have no SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL support means you may be affected. In fact, even if your server is completely password protected, like a hub. Even then, if you are running a vulnerable version of OpenSSL then you are still affected. HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION ======================================================== Windows users who already know they are using the SSL version of UnrealIRCd can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'. Best way to check if you are vulnerable is to execute '/VERSION' as an IRC Operator (IRCOp) on your server and verify the OpenSSL version. As IRCOp you can also check other servers for OpenSSL on your network by using: /VERSION [remote server name] This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more: 1) If you have SSL enabled then you will see something like: [17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date] Continue reading under 'I AM USING SSL - AM I VULNERABLE?'... 2) If you are an IRCOp, you did /VERSION, and you did not see any line with 'OpenSSL' in it, then this means OpenSSL support is not compiled in and you are safe. You don't need to take any action and can stop reading. Note that if you are NOT an IRCOp then no OpenSSL version information will be displayed. Therefore it's important you execute the /VERSION command as IRCOp. I AM USING SSL - AM I VULNERABLE? ================================== The following OpenSSL versions have the security issue: * 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..) * 1.0.2-beta1 The following versions are safe: * Any version before 1.0.1, so 1.0.0x or 0.9.8etc... * 1.0.1g (which has just been released on April 7, 2014) If you are using any such 'safe' version, then you don't need to take any action. I AM VULNERABLE - WHAT TO DO? ============================== If you are indeed using 1.0.1-1.0.1f then you are affected by this security issue. Windows - -------- Simply re-download the package from http://www.unrealircd.com/ The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once installed you will see (by using /VERSION as IRCOp) the OpenSSL version is 1.0.1g. Linux / *NIX - ------------- Update your system the usual way. This depends on your OS and distribution. On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on Redhat-based systems 'yum' is used, etc... If you don't have root on your system, consult your (shell) provider. You normally don't need to recompile UnrealIRCd. But once you installed an updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is not sufficient. After UnrealIRCd has been restarted, verify that your OpenSSL version is indeed safe now. You can see the OpenSSL version in the boot screen of ./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier. TIMELINE ========= [2014-04-07 18:39 GMT] OpenSSL Security advisory [2014-04-08 15:39 GMT] UnrealIRCd windows download replaced [2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out UPDATES ======== The following URL contains a copy of this advisory, and any updates to it: http://forums.unrealircd.com/viewtopic.php?f=1&t=8265 - -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iF4EAREIAAYFAlNEKlcACgkQbmdtRX/hmaYVOAD9GTCVWHtoBEGorShJ/7EViC2k AIpbUcBKl12HGEQY7+0A/RF/4rJDRkd/ErSMudaarWKzPCkkLfRcQ2ZmmeBIKhTS =lY4b -----END PGP SIGNATURE----- |
