Crash issue in UnrealIRCd: apply hot fix ASAP or upgrade to 4.0.15
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
Crash issue in UnrealIRCd: apply hot fix ASAP or upgrade to 4.0.15
|
From: Bram M. <sy...@un...> - 2017-10-01 12:32:25
|
(You can unsubscribe here <https://lists.sourceforge.net/lists/listinfo/unreal-notify> at the bottom of the page) Hi everyone, All UnrealIRCd versions up to and including 4.0.14 can be crashed by a remote user. It is a crash only. Remote code execution is not possible. There are actually two bugs. One of them can be triggered before the user is fully connected (so this also affects hubs and password-protected servers). The other bug requires a fully connected client to trigger. Credit goes to Joseph Bisch for finding the first bug. The other bug was found internally after doing similar testing. We have released UnrealIRCd 4.0.15 which addresses this issue. There is also a "hot fix" available so you can patch your server _without requiring an UnrealIRCd restart_. See *How to get the fix/patch?* below. *Note for UnrealIRCd 3.2.x users:* It was reported that UnrealIRCd 3.2.x is also affected. However the 3.2.x series are deprecated and no longer maintained <https://www.unrealircd.org/docs/UnrealIRCd_3.2.x_deprecated>. We announced _back in 2015_ that all support, including security fixes, would stop for 3.2.x after the year 2016. If you are still running 3.2.x you should _really_ upgrade to UnrealIRCd 4. Upgrading is not hard, see the Upgrading from 3.2.x <https://www.unrealircd.org/docs/Upgrading_from_3.2.x> wiki article. It seems 3.2.x is only affected by the first issue and the patch is identical. Therefore, for 3.2.x users on *NIX the patch script below should work as well. However, _no_ warranty is provided and this is the _last time_ such a fix is available. Upgrade to UnrealIRCd 4.x! We already gave you two years of time. *How to get the fix/patch?* Windows users should install UnrealIRCd 4.0.15. Linux/BSD/.. users can also install 4.0.15 *OR *you can choose to patch UnrealIRCd on-the-fly _without a restart_. Since the patch is usually the easiest and most user friendly solution, we recommend it. Run the following on the IRC shell (be sure to do this under the correct user account and not as root): wget https://www.unrealircd.org/patch/20171001patcher && sh ./20171001patcher *Q&A* *Have there been any reports of these bugs being abused by anyone? *Not yet. But the issue is easy to trigger, so don't wait for it. *Should I upgrade? *Yes. You should upgrade or install the hot-fix as soon as possible. * ****Are there any workarounds so I don't have to upgrade?* **For UnrealIRCd 4.0.x on *NIX you can use the hot fix / patch so you don't need to restart. ***** ***Can I upgrade without restarting the IRC server? **With UnrealIRCd 4.0.x on Linux/BSD/.. yes. Run the following on the shell: wget https://www.unrealircd.org/patch/20171001patcher && sh ./20171001patcher * ****I don't like the patch script. How I can fix this by hand? *If, for whatever reason, you don't want to use the simple patch script from above then you can download https://www.unrealircd.org/patch/20171001patcher.tar.gz instead. Extract it somewhere and look at the contents. Among other things it contains two .patch files. Apply the patches (note that the 20171001.2nd.patch is for 4.0.x only), recompile and rehash your UnrealIRCd.* *This is exactly the same as the patch script would do. ** More information about the bug **There are two bugs: * There's a handshake bug can be triggered before the user is fully connected. This allows a user to crash an UnrealIRCd server, even those with restrictions such as password protected hubs. This one has a CVSSv3 score of 7.5 (High): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * The other bug requires the client to fully connect, join a channel and have chanops. This one has a CVSSv3 score of 6.5 (Medium): CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Both issues are caused by dereferencing a NULL pointer. Remote code execution through these bugs is not possible. *Time line* Both issues were fixed within 24 hours: 2017-09-30 17:42 Handshake crash issue reported by Joseph Bisch 2017-09-30 18:15 Issue confirmed 2017-09-30 19:00 Started looking for similar issues 2017-10-01 00:31 Preannouncement of the security issue (via Twitter and UnrealIRCd forums) 2017-10-01 03:30 Additional security issue found internally after running similar tests 2017-10-01 15:00 Security advisory, fixed version and patch published /All date and times are in UTC/ *Updates to this advisory *This release announcement/advisory can be found here <https://forums.unrealircd.org/viewtopic.php?f=1&t=8751>. Small corrections/updates will be posted there, if any. -- Bram Matthys Software developer/Security researcher sy...@vu... Website: www.vulnscan.org PGP key: www.vulnscan.org/pubkey.asc PGP fp: 2ABD 57FA 7783 5ADD C5EC 8ED7 DE93 B8B4 7E74 5EB3 |
