Re: Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
Re: Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)
|
From: Bram M. <sy...@un...> - 2016-09-03 20:39:26
|
You can now use our *online SASL bug security check*, to see if your server is vulnerable. It can be found on https://www.unrealircd.org/check_sasl.php Just enter your server IP and it will show if your server is vulnerable or not. NOTE: This only works reliable on UnrealIRCd servers. Don't use it for other IRC server brands! Bram Matthys wrote on 3-9-2016 21:25: > > Hi everyone, > > A security issue was detected in a number of IRCd's, including UnrealIRCd, > regarding the way SASL is implemented. > If you use services _and_ have SASL enabled (you need to do this explicitly) > then you should patch or upgrade as soon as possible. > _While this only affects 2% of our userbase, for those networks which are > affected this is a very serious issue_. If you are affected you can upgrade > to one of the new UnrealIRCd releases or you can upgrade their existing > UnrealIRCd _without a restart_ (see below) > > Note that releases and this security announcement have been made in a hurry. > Details on this issue are already available online at other websites. > > *Issue details > *An attacker can send an SSL fingerprint of his choice to services when > doing SASL authentication. An attacker can compromise a services account if > the user has an SSL fingerprint stored in services. > > *How to check if you are affected (how do I know if I use SASL?)* > You are only affected if all of the following is true: > > 1. SASL is enabled in UnrealIRCd: *check if set::sasl-server is set* to a > valid server > 2. Your services support SASL (eg: anope) > 3. Your services support SSL fingerprint authentication (eg: anope) > > *How to get the fix/patch?* > > Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7. > > Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 *OR *you can choose to > patch UnrealIRCd on-the-fly without a restart. > Since the patch is usually the easiest and most user friendly solution, we > recommend it. > Run the following on the IRC shell: > wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher > > *Q&A* > *Have there been any reports of these bugs being abused by anyone? > *We don't know. It sounds likely, the issue is very easy to exploit. > > *Should I upgrade? > *If you use SASL authentication then yes you should definitely upgrade. If > you do not have SASL enabled then there is no need to upgrade at this time, > this is true for most of our users (98%). > * > ****Are there any workarounds so I don't have to upgrade?* > **As a very quick workaround you could disable SASL entirely by removing the > set::sasl-server setting and rehashing the IRCd. > You could also disable SASL at the services level. For anope you do this by > unloading the m_sasl module (in anope). > ***** > ***Can I upgrade without restarting the IRC server? > **On Windows no, but on Linux/BSD/.. yes you can. Run the following on the > shell: > wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher > * > ****How serious are these bugs? > *See the /Issue details/ above. If you are affected then all user accounts > with an SSL fingerprint for authentication can be compromised.* > * > *When were these issues reported?* > This issues was reported a few hours ago. Details of the exploit were > already available online before this fix and security announcement were > available, so everything has been written in a rush. > > *Updates to this advisory > *This release announcement/advisory can be found here > <https://forums.unrealircd.org/viewtopic.php?f=1&t=8588>. Small > corrections/updates will be posted there, if any.* > > * > ------------------------------------------------------------------------------ > * > What's new in UnrealIRCd 4 > *A short overview of the most important changes:* > * > > * <https://www.unrealircd.org/docs/Modules>You decide what to load > <https://www.unrealircd.org/docs/Modules>. We have moved as much > functionality as possible to 150+ individually loadable modules > (commands <https://www.unrealircd.org/docs/User_%26_Oper_commands>, user > modes <https://www.unrealircd.org/docs/User_modes>, channel modes > <https://www.unrealircd.org/docs/Channel_modes>, extbans > <https://www.unrealircd.org/docs/Extended_bans>, snomasks, ..). You > decide which features your UnrealIRCd should have. > * Fine-grained IRCOp privileges > <https://www.unrealircd.org/docs/Operclass_block>. The way IRCOp > privileges are granted has been redone entirely. This allows you to > configure oper privileges on a very detailed level. You don't want > OperOverride? You don't want opers to see secret channels? Or you want > an oper with a very minimal set of privileges? This is all possible. > * Wiki <https://www.unrealircd.org/docs/UnrealIRCd_4_documentation>. All > documentation has been moved to a wiki > <https://www.unrealircd.org/docs/>. It's even better than before and > more accessible to people who are new to IRCd's. The wiki also allows > easy translation > <https://www.unrealircd.org/docs/Translating_UnrealIRCd_wiki_pages> by > community members. > * New directory structure > <https://www.unrealircd.org/docs/UnrealIRCd_files_and_directories>. On > *NIX the IRCd is now always installed to a different directory than > where you compile from (~/unrealircd by default). No more mess. On both > *NIX and Windows configuration files go in conf/, modules go in > modules/, etc.. Configuration files can be identical on Windows and > *NIX. This new directory structure also allows easier packaging. > * New I/O system using kqueue & epoll. The IRCd can now handle thousands > of users more easily. > * Improved SSL/TLS support. SSL has always been a major feature in > UnrealIRCd but has been enhanced. UnrealIRCd is now always built with > SSL support (both on *NIX and Windows). SSL client certificate > fingerprints are visible in /WHOIS, a new certfp extban > <https://www.unrealircd.org/docs/Extended_bans> > (~S:certificatefingerprint), better defaults including 4096 bit keys and > Perfect forward secrecy <https://en.wikipedia.org/wiki/Forward_secrecy>, > etc. > * DNS Blacklist support <https://www.unrealircd.org/docs/Blacklist_block> > (DNSBL/RBL). Great for combating drones and other abusers. > * Better and more helpful error messages. Especially regarding the > configuration file. > * More modern server-to-server protocol. > <https://www.unrealircd.org/docs/Server_protocol:Changes> Such as using > UID/SID's. Resulting in less desynch. issues. > * Lowering the bar for Spamfilter > <https://www.unrealircd.org/docs/Spamfilter#Block_simple_spam>. You can > now choose between 'regex' and 'simple' matching. Simple matching allows > using the usual '?' and '*' wildcards that everyone knows about. The > regex engine has been moved from TRE to PCRE (=about twice as fast). > * Configuration is more logical > <https://www.unrealircd.org/docs/Upgrading_from_3.2.x>. Around 30% of > the configuration blocks have been restructured. Don't worry, we include > an UnrealIRCd 3.2.x to 4.x configuration file converter. > * Easier 3rd party module management. On *NIX you now just put your 3rd > party modules in /src/modules/third/ and then each time you run 'make' > they will be compiled if needed. > * Easier upgrading. On *NIX, when upgrading to a new version, ./Config > will ask you to import settings from a previous installation, > remembering your installation directory and other settings. It will also > copy the 3rd party modules from the old to the new installation and > re-compile them. > * More secure. Even better secure defaults, more warnings about insecure > behavior, .. > * *IPv6 now also on Windows* <https://www.unrealircd.org/docs/Ipv6>. > > For developers: > > * Easier source navigation. Because we moved almost everything to modules, > it's now much easier to see all the code for a particular feature. > * Cleaner code. There have been a lot of source code cleanups. Code has > been restructured or rewritten. Old irrelevant code has been deleted. > * Development documentation can be found on the wiki > <https://www.unrealircd.org/docs/Main_Page>. We explain how to write a > module in C and list all the details on the various Module API's such as > how to write commands, channel modes, plug-in by using Hooks, etc... > > *Upgrading from 3.2.x**to UnrealIRCd 4* > If you are upgrading from 3.2.x to 4.x then there are three important things > to know: > *1) New file locations* > In UnrealIRCd 4 the location of the configuration files and other files have > been changed. On *NIX the directory where you compile the IRCd from > (previously 'Unreal3.2.X', now 'unrealircd-4.0.0') is no longer the same as > the directory where the IRCd will be running from. > By default the IRCd is installed to //home/yourusername/unrealircd/ on *NIX. > On Windows UnrealIRCd will install to /C:\Program Files (x86\UnrealIRCd 4/. > > The new directory structure is as follows (both on Windows and *NIX): > conf/ contains all configuration files > logs/ for log files > modules/ all modules (.so files on *NIX, .dll files on Windows) > > *2) Configuration file changes > *There have also been changes in various configuration blocks and settings. > Don't worry, UnrealIRCd can convert your existing 3.2.x configuration files > to UnrealIRCd 4 format. There's no need to start from scratch. > Please read https://www.unrealircd.org/docs/Upgrading_from_3.2.x for more > information on the config file conversion. > > *3) Third party modules* > If you are using 3rd party modules (modules not developed by the UnrealIRCd > team) then they will require an update before they can run on UnrealIRCd 4. > Contact your developer for a new version or ask on our Modules forum > <https://forums.unrealircd.org/viewforum.php?f=52> where someone may be kind > enough to convert the module for you if you ask nicely. Due to the many core > changes in UnrealIRCd 4 it was simply impossible to make 3.2.x modules work > out-of-the-box on 4.x as well. > > *Running a mixed 3.2.x / 4.x network* > You can run a mixed 3.2.x <-> 4.x network if you a follow a few simple rules > <https://www.unrealircd.org/docs/Running_a_mixed_UnrealIRCd_3.2_and_UnrealIRCd_4_network>. > > *End of the 3.2.x series* > With the release of UnrealIRCd 4.0.0 we have deprecated the previous series. > All support for the 3.2.x series will stop after December 31, 2016. > See https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated > > *Download* > As always, you can download UnrealIRCd from https://www.unrealircd.org/ > All releases are signed with our PGP key (short key id 0x108FF4A9 and long > id 0xA7A21B0A108FF4A9) > > Please report all bugs and feature suggestions at https://bugs.unrealircd.org/ > -- > Bram Matthys > Software developer/IT con...@vu... > Website:www.vulnscan.org > PGP key:www.vulnscan.org/pubkey.asc > PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 -- Bram Matthys Software developer/IT consultant sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6 |
