Re: Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

You can now use our *online SASL bug security check*, to see if your server is 
vulnerable.
It can be found on https://www.unrealircd.org/check_sasl.php
Just enter your server IP and it will show if your server is vulnerable or not.

NOTE: This only works reliable on UnrealIRCd servers. Don't use it for other 
IRC server brands!

Bram Matthys wrote on 3-9-2016 21:25:
>
> Hi everyone,
>
> A security issue was detected in a number of IRCd's, including UnrealIRCd, 
> regarding the way SASL is implemented.
> If you use services _and_ have SASL enabled (you need to do this explicitly) 
> then you should patch or upgrade as soon as possible.
> _While this only affects 2% of our userbase, for those networks which are 
> affected this is a very serious issue_. If you are affected you can upgrade 
> to one of the new UnrealIRCd releases or you can upgrade their existing 
> UnrealIRCd _without a restart_ (see below)
>
> Note that releases and this security announcement have been made in a hurry. 
> Details on this issue are already available online at other websites.
>
> *Issue details
> *An attacker can send an SSL fingerprint of his choice to services when 
> doing SASL authentication. An attacker can compromise a services account if 
> the user has an SSL fingerprint stored in services.
>
> *How to check if you are affected (how do I know if I use SASL?)*
> You are only affected if all of the following is true:
>
>  1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a
>     valid server
>  2. Your services support SASL (eg: anope)
>  3. Your services support SSL fingerprint authentication (eg: anope)
>
> *How to get the fix/patch?*
>
> Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.
>
> Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to 
> patch UnrealIRCd on-the-fly without a restart.
> Since the patch is usually the easiest and most user friendly solution, we 
> recommend it.
> Run the following on the IRC shell:
> wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
>
> *Q&A*
> *Have there been any reports of these bugs being abused by anyone?
> *We don't know. It sounds likely, the issue is very easy to exploit.
>
> *Should I upgrade?
> *If you use SASL authentication then yes you should definitely upgrade. If 
> you do not have SASL enabled then there is no need to upgrade at this time, 
> this is true for most of our users (98%).
> *
> ****Are there any workarounds so I don't have to upgrade?*
> **As a very quick workaround you could disable SASL entirely by removing the 
> set::sasl-server setting and rehashing the IRCd.
> You could also disable SASL at the services level. For anope you do this by 
> unloading the m_sasl module (in anope).
> *****
> ***Can I upgrade without restarting the IRC server?
> **On Windows no, but on Linux/BSD/.. yes you can. Run the following on the 
> shell:
> wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
> *
> ****How serious are these bugs?
> *See the /Issue details/ above. If you are affected then all user accounts 
> with an SSL fingerprint for authentication can be compromised.*
> *
> *When were these issues reported?*
> This issues was reported a few hours ago. Details of the exploit were 
> already available online before this fix and security announcement were 
> available, so everything has been written in a rush.
>
> *Updates to this advisory
> *This release announcement/advisory can be found here 
> <https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small 
> corrections/updates will be posted there, if any.*
>
> *
> ------------------------------------------------------------------------------
> *
> What's new in UnrealIRCd 4
> *A short overview of the most important changes:*
> *
>
>   * <https://www.unrealircd.org/docs/Modules>You decide what to load
>     <https://www.unrealircd.org/docs/Modules>. We have moved as much
>     functionality as possible to 150+ individually loadable modules
>     (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user
>     modes <https://www.unrealircd.org/docs/User_modes>, channel modes
>     <https://www.unrealircd.org/docs/Channel_modes>, extbans
>     <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You
>     decide which features your UnrealIRCd should have.
>   * Fine-grained IRCOp privileges
>     <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp
>     privileges are granted has been redone entirely. This allows you to
>     configure oper privileges on a very detailed level. You don't want
>     OperOverride? You don't want opers to see secret channels? Or you want
>     an oper with a very minimal set of privileges? This is all possible.
>   * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All
>     documentation has been moved to a wiki
>     <https://www.unrealircd.org/docs/>. It's even better than before and
>     more accessible to people who are new to IRCd's. The wiki also allows
>     easy translation
>     <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by
>     community members.
>   * New directory structure
>     <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On
>     *NIX the IRCd is now always installed to a different directory than
>     where you compile from (~/unrealircd by default). No more mess. On both
>     *NIX and Windows configuration files go in conf/, modules go in
>     modules/, etc.. Configuration files can be identical on Windows and
>     *NIX. This new directory structure also allows easier packaging.
>   * New I/O system using kqueue & epoll. The IRCd can now handle thousands
>     of users more easily.
>   * Improved SSL/TLS support. SSL has always been a major feature in
>     UnrealIRCd but has been enhanced. UnrealIRCd is now always built with
>     SSL support (both on *NIX and Windows). SSL client certificate
>     fingerprints are visible in /WHOIS, a new certfp extban
>     <https://www.unrealircd.org/docs/Extended_bans>
>     (~S:certificatefingerprint), better defaults including 4096 bit keys and
>     Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>,
>     etc.
>   * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block>
>     (DNSBL/RBL). Great for combating drones and other abusers.
>   * Better and more helpful error messages. Especially regarding the
>     configuration file.
>   * More modern server-to-server protocol.
>     <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using
>     UID/SID's. Resulting in less desynch. issues.
>   * Lowering the bar for Spamfilter
>     <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can
>     now choose between 'regex' and 'simple' matching. Simple matching allows
>     using the usual '?' and '*' wildcards that everyone knows about. The
>     regex engine has been moved from TRE to PCRE (=about twice as fast).
>   * Configuration is more logical
>     <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of
>     the configuration blocks have been restructured. Don't worry, we include
>     an UnrealIRCd 3.2.x to 4.x configuration file converter.
>   * Easier 3rd party module management. On *NIX you now just put your 3rd
>     party modules in /src/modules/third/ and then each time you run 'make'
>     they will be compiled if needed.
>   * Easier upgrading. On *NIX, when upgrading to a new version, ./Config
>     will ask you to import settings from a previous installation,
>     remembering your installation directory and other settings. It will also
>     copy the 3rd party modules from the old to the new installation and
>     re-compile them.
>   * More secure. Even better secure defaults, more warnings about insecure
>     behavior, ..
>   * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>.
>
> For developers:
>
>   * Easier source navigation. Because we moved almost everything to modules,
>     it's now much easier to see all the code for a particular feature.
>   * Cleaner code. There have been a lot of source code cleanups. Code has
>     been restructured or rewritten. Old irrelevant code has been deleted.
>   * Development documentation can be found on the wiki
>     <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a
>     module in C and list all the details on the various Module API's such as
>     how to write commands, channel modes, plug-in by using Hooks, etc...
>
> *Upgrading from 3.2.x**to UnrealIRCd 4*
> If you are upgrading from 3.2.x to 4.x then there are three important things 
> to know:
> *1) New file locations*
> In UnrealIRCd 4 the location of the configuration files and other files have 
> been changed. On *NIX the directory where you compile the IRCd from 
> (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as 
> the directory where the IRCd will be running from.
> By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. 
> On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/.
>
> The new directory structure is as follows (both on Windows and *NIX):
> conf/           contains all configuration files
> logs/           for log files
> modules/   all modules (.so files on *NIX, .dll files on Windows)
>
> *2) Configuration file changes
> *There have also been changes in various configuration blocks and settings. 
> Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files 
> to UnrealIRCd 4 format. There's no need to start from scratch.
> Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more 
> information on the config file conversion.
>
> *3) Third party modules*
> If you are using 3rd party modules (modules not developed by the UnrealIRCd 
> team) then they will require an update before they can run on UnrealIRCd 4. 
> Contact your developer for a new version or ask on our Modules forum 
> <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind 
> enough to convert the module for you if you ask nicely. Due to the many core 
> changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work 
> out-of-the-box on 4.x as well.
>
> *Running a mixed 3.2.x / 4.x network*
> You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules 
> <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>.
>
> *End of the 3.2.x series*
> With the release of UnrealIRCd 4.0.0 we have deprecated the previous series.
> All support for the 3.2.x series will stop after December 31, 2016.
> See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated
>
> *Download*
> As always, you can download UnrealIRCd from https://www.unrealircd.org/
> All releases are signed with our PGP key (short key id 0x108FF4A9 and long 
> id 0xA7A21B0A108FF4A9)
>
> Please report all bugs and feature suggestions at https://bugs.unrealircd.org/
> -- 
> Bram Matthys
> Software developer/IT con...@vu...
> Website:www.vulnscan.org
> PGP key:www.vulnscan.org/pubkey.asc
> PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

-- 
Bram Matthys
Software developer/IT consultant        sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6