Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
|
From: Bram M. <sy...@un...> - 2016-09-03 19:38:22
|
Hi everyone,
A security issue was detected in a number of IRCd's, including UnrealIRCd,
regarding the way SASL is implemented.
If you use services _and_ have SASL enabled (you need to do this explicitly)
then you should patch or upgrade as soon as possible.
_While this only affects 2% of our userbase, for those networks which are
affected this is a very serious issue_. If you are affected you can upgrade to
one of the new UnrealIRCd releases or you can upgrade their existing
UnrealIRCd _without a restart_ (see below)
Note that releases and this security announcement have been made in a hurry.
Details on this issue are already available online at other websites.
*Issue details
*An attacker can send an SSL fingerprint of his choice to services when doing
SASL authentication. An attacker can compromise a services account if the user
has an SSL fingerprint stored in services.
*How to check if you are affected (how do I know if I use SASL?)*
You are only affected if all of the following is true:
1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a
valid server
2. Your services support SASL (eg: anope)
3. Your services support SSL fingerprint authentication (eg: anope)
*How to get the fix/patch?*
Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.
Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to
patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we
recommend it.
Run the following on the IRC shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*We don't know. It sounds likely, the issue is very easy to exploit.
*Should I upgrade?
*If you use SASL authentication then yes you should definitely upgrade. If you
do not have SASL enabled then there is no need to upgrade at this time, this
is true for most of our users (98%).
*
****Are there any workarounds so I don't have to upgrade?*
**As a very quick workaround you could disable SASL entirely by removing the
set::sasl-server setting and rehashing the IRCd.
You could also disable SASL at the services level. For anope you do this by
unloading the m_sasl module (in anope).
*****
***Can I upgrade without restarting the IRC server?
**On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:
wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
*
****How serious are these bugs?
*See the /Issue details/ above. If you are affected then all user accounts
with an SSL fingerprint for authentication can be compromised.*
*
*When were these issues reported?*
This issues was reported a few hours ago. Details of the exploit were already
available online before this fix and security announcement were available, so
everything has been written in a rush.
*Updates to this advisory
*This release announcement/advisory can be found here
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small
corrections/updates will be posted there, if any.*
*
------------------------------------------------------------------------------
*
What's new in UnrealIRCd 4
*A short overview of the most important changes:*
*
* <https://www.unrealircd.org/docs/Modules>You decide what to load
<https://www.unrealircd.org/docs/Modules>. We have moved as much
functionality as possible to 150+ individually loadable modules (commands
<https://www.unrealircd.org/docs/User_%26_Oper_commands>, user modes
<https://www.unrealircd.org/docs/User_modes>, channel modes
<https://www.unrealircd.org/docs/Channel_modes>, extbans
<https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You decide
which features your UnrealIRCd should have.
* Fine-grained IRCOp privileges
<https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
privileges are granted has been redone entirely. This allows you to
configure oper privileges on a very detailed level. You don't want
OperOverride? You don't want opers to see secret channels? Or you want an
oper with a very minimal set of privileges? This is all possible.
* Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
documentation has been moved to a wiki <https://www.unrealircd.org/docs/>.
It's even better than before and more accessible to people who are new to
IRCd's. The wiki also allows easy translation
<https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
community members.
* New directory structure
<https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
*NIX the IRCd is now always installed to a different directory than where
you compile from (~/unrealircd by default). No more mess. On both *NIX and
Windows configuration files go in conf/, modules go in modules/, etc..
Configuration files can be identical on Windows and *NIX. This new
directory structure also allows easier packaging.
* New I/O system using kqueue & epoll. The IRCd can now handle thousands of
users more easily.
* Improved SSL/TLS support. SSL has always been a major feature in
UnrealIRCd but has been enhanced. UnrealIRCd is now always built with SSL
support (both on *NIX and Windows). SSL client certificate fingerprints
are visible in /WHOIS, a new certfp extban
<https://www.unrealircd.org/docs/Extended_bans>
(~S:certificatefingerprint), better defaults including 4096 bit keys and
Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, etc.
* DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
(DNSBL/RBL). Great for combating drones and other abusers.
* Better and more helpful error messages. Especially regarding the
configuration file.
* More modern server-to-server protocol.
<https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
UID/SID's. Resulting in less desynch. issues.
* Lowering the bar for Spamfilter
<https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
now choose between 'regex' and 'simple' matching. Simple matching allows
using the usual '?' and '*' wildcards that everyone knows about. The regex
engine has been moved from TRE to PCRE (=about twice as fast).
* Configuration is more logical
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of the
configuration blocks have been restructured. Don't worry, we include an
UnrealIRCd 3.2.x to 4.x configuration file converter.
* Easier 3rd party module management. On *NIX you now just put your 3rd
party modules in /src/modules/third/ and then each time you run 'make'
they will be compiled if needed.
* Easier upgrading. On *NIX, when upgrading to a new version, ./Config will
ask you to import settings from a previous installation, remembering your
installation directory and other settings. It will also copy the 3rd party
modules from the old to the new installation and re-compile them.
* More secure. Even better secure defaults, more warnings about insecure
behavior, ..
* *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
For developers:
* Easier source navigation. Because we moved almost everything to modules,
it's now much easier to see all the code for a particular feature.
* Cleaner code. There have been a lot of source code cleanups. Code has been
restructured or rewritten. Old irrelevant code has been deleted.
* Development documentation can be found on the wiki
<https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
module in C and list all the details on the various Module API's such as
how to write commands, channel modes, plug-in by using Hooks, etc...
*Upgrading from 3.2.x**to UnrealIRCd 4*
If you are upgrading from 3.2.x to 4.x then there are three important things
to know:
*1) New file locations*
In UnrealIRCd 4 the location of the configuration files and other files have
been changed. On *NIX the directory where you compile the IRCd from
(previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as
the directory where the IRCd will be running from.
By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX.
On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
The new directory structure is as follows (both on Windows and *NIX):
conf/ contains all configuration files
logs/ for log files
modules/ all modules (.so files on *NIX, .dll files on Windows)
*2) Configuration file changes
*There have also been changes in various configuration blocks and settings.
Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files to
UnrealIRCd 4 format. There's no need to start from scratch.
Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more
information on the config file conversion.
*3) Third party modules*
If you are using 3rd party modules (modules not developed by the UnrealIRCd
team) then they will require an update before they can run on UnrealIRCd 4.
Contact your developer for a new version or ask on our Modules forum
<https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind
enough to convert the module for you if you ask nicely. Due to the many core
changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work
out-of-the-box on 4.x as well.
*Running a mixed 3.2.x / 4.x network*
You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules
<https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
*End of the 3.2.x series*
With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
All support for the 3.2.x series will stop after December 31, 2016.
See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
*Download*
As always, you can download UnrealIRCd from https://www.unrealircd.org/
All releases are signed with our PGP key (short key id 0x108FF4A9 and long id
0xA7A21B0A108FF4A9)
Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
--
Bram Matthys
Software developer/IT con...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
