Crash issue in UnrealIRCd: apply hot fix ASAP or upgrade to 4.0.15

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

(You can unsubscribe here
<https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the
bottom of the page)

Hi everyone,

All UnrealIRCd versions up to and including 4.0.14 can be crashed by a
remote user. It is a crash only. Remote code execution is not possible.
There are actually two bugs. One of them can be triggered before the
user is fully connected (so this also affects hubs and
password-protected servers). The other bug requires a fully connected
client to trigger.
Credit goes to Joseph Bisch for finding the first bug. The other bug was
found internally after doing similar testing.

We have released UnrealIRCd 4.0.15 which addresses this issue. There is
also a "hot fix" available so you can patch your server _without
requiring an UnrealIRCd restart_. See *How to get the fix/patch?* below.

*Note for UnrealIRCd 3.2.x users:*

It was reported that UnrealIRCd 3.2.x is also affected. However the
3.2.x series are deprecated and no longer maintained
<https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>. We
announced _back in 2015_ that all support, including security fixes,
would stop for 3.2.x after the year 2016.
If you are still running 3.2.x you should _really_ upgrade to UnrealIRCd
4. Upgrading is not hard, see the Upgrading from 3.2.x
<https://www.unrealircd.org/docs/Upgrading_from_3.2.x> wiki article.
It seems 3.2.x is only affected by the first issue and the patch is
identical. Therefore, for 3.2.x users on *NIX the patch script below
should work as well. However, _no_ warranty is provided and this is the
_last time_ such a fix is available. Upgrade to UnrealIRCd 4.x! We
already gave you two years of time.

*How to get the fix/patch?*

Windows users should install UnrealIRCd 4.0.15.

Linux/BSD/.. users can also install 4.0.15 *OR *you can choose to patch
UnrealIRCd on-the-fly _without a restart_.
Since the patch is usually the easiest and most user friendly solution,
we recommend it.
Run the following on the IRC shell (be sure to do this under the correct
user account and not as root):
wget https://www.unrealircd.org/patch/20171001patcher && sh
./20171001patcher

*Q&A*
*Have there been any reports of these bugs being abused by anyone?
*Not yet. But the issue is easy to trigger, so don't wait for it.

*Should I upgrade?
*Yes. You should upgrade or install the hot-fix as soon as possible.
*
****Are there any workarounds so I don't have to upgrade?*
**For UnrealIRCd 4.0.x on *NIX you can use the hot fix / patch so you
don't need to restart.
*****
***Can I upgrade without restarting the IRC server?
**With UnrealIRCd 4.0.x on Linux/BSD/.. yes. Run the following on the shell:
wget https://www.unrealircd.org/patch/20171001patcher && sh
./20171001patcher
*
****I don't like the patch script. How I can fix this by hand?
*If, for whatever reason, you don't want to use the simple patch script
from above then you can download
https://www.unrealircd.org/patch/20171001patcher.tar.gz instead.
Extract it somewhere and look at the contents. Among other things it
contains two .patch files. Apply the patches (note that the
20171001.2nd.patch is for 4.0.x only), recompile and rehash your
UnrealIRCd.*
*This is exactly the same as the patch script would do.
**
More information about the bug
**There are two bugs:

  * There's a handshake bug can be triggered before the user is fully
    connected. This allows a user to crash an UnrealIRCd server, even
    those with restrictions such as password protected hubs. This one
    has a CVSSv3 score of 7.5 (High):
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * The other bug requires the client to fully connect, join a channel
    and have chanops. This one has a CVSSv3 score of 6.5 (Medium):
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Both issues are caused by dereferencing a NULL pointer. Remote code
execution through these bugs is not possible.

*Time line*
Both issues were fixed within 24 hours:
2017-09-30 17:42 Handshake crash issue reported by Joseph Bisch
2017-09-30 18:15 Issue confirmed
2017-09-30 19:00 Started looking for similar issues
2017-10-01 00:31 Preannouncement of the security issue (via Twitter and
UnrealIRCd forums)
2017-10-01 03:30 Additional security issue found internally after
running similar tests
2017-10-01 15:00 Security advisory, fixed version and patch published
/All date and times are in UTC/

*Updates to this advisory
*This release announcement/advisory can be found here
<https://forums.unrealircd.org/viewtopic.php?f=1&t=8751>. Small
corrections/updates will be posted there, if any.

-- 
Bram Matthys
Software developer/Security researcher  sy...@vu...
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: 2ABD 57FA 7783 5ADD C5EC  8ED7 DE93 B8B4 7E74 5EB3