Important: crash issue in UnrealIRCd 5 and UnrealIRCd 6
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
Important: crash issue in UnrealIRCd 5 and UnrealIRCd 6
|
From: Bram M. <sy...@vu...> - 2022-01-28 15:45:45
|
UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a
certain command is sent. This results in all users being disconnected
from the server. There is no other risk than crashing (no buffer
overflow or anything, no risk of remote code execution).
If you have any deny dcc { } blocks in the config file or spamfilters on
the 'd' (dcc) target then the server can be crashed. This is true for
many servers as there is a deny dcc { } block in the example
configuration file (example.conf).
All U5 and U6 versions before January 28, 2022 are affected, so:
* UnrealIRCd 5.0.0 - 5.2.3
* UnrealIRCd 6.0.0 - 6.0.2-rc1
We recommend admins to apply the hot-patch (see next) ASAP which will
fix the issue with zero downtime.
Apply hot-patch; no restart needed
*NIX users can fix this issue without needing to restart their IRC
server. Windows users will have to upgrade (see next section).
Go to your UnrealIRCd installation directory and then run:|./unrealircd
hot-patch dcc_crash|
This should end with the message "Done! All should be good now.". It is
a good idea to double-check on IRC that your server is fixed, see the
end of this news article.
The command from above is the recommended method. If instead you prefer
to fiddle with patch files and know how to apply these, then they can be
fetched for U5 <https://www.unrealircd.org/patches/dcc.u5.patch> or for
U6 <https://www.unrealircd.org/patches/dcc.u6.patch>. Another
alternative is to upgrade to 6.0.2 or 5.2.4 (see next).
Alternative: Upgrading
You can also choose to upgrade your entire UnrealIRCd. For example,
because you want the latest UnrealIRCd 6 features, or because you are on
Windows and cannot apply the hot-patch. For this we have released two
new UnrealIRCd versions:
* UnrealIRCd 5.2.4: compared to previous release the only thing extra
is the patch for the crash and a version bump
* UnrealIRCd 6.0.2: compared to previous release it contains lots of
enhancements, fixes and of course also the patch for the crash and
version bump
*NIX users typically upgrade to this version by running:|./unrealircd
upgrade|
You can also manually download and install UnrealIRCd from
www.unrealircd.org <https://www.unrealircd.org/>.
Verifying the server is now OK / Checking vulnerable / not vulnerable
As an IRCOp you can check on IRC whether the hot-patch has been applied
successfully, or if you have upgraded OK, or if the server is still
crashable (still has the bug). This is a good idea to check.
Run the command */MODULE -all* and then search for the line about the
*message* module (about 20 lines before the end of the output). There is
a difference in the message module version number that can be seen (if
you are IRCOp):
* Vulnerable versions (both UnrealIRCd 5 and UnrealIRCd 6) look like:
*** message 5.0 - private message and notice - by UnrealIRCd Team
* Fixed version UnrealIRCd 5 looks like: *** message 5.2.4 - private
message and notice - by UnrealIRCd Team
* Fixed version UnrealIRCd 6 looks like: *** message 6.0.2 - private
message and notice - by UnrealIRCd Team
* If you don't see a version number then you are not an IRC Operator.
You need to OPER up to see version numbers of modules.
You can also check remote servers by running */MODULE -all
name.of.server.net*
Further updates on this issue
In case there are any errors that need to be corrected (typo's or
further info), then the news item will be updated on the forums
<https://forums.unrealircd.org/viewforum.php?f=1>.
--
Bram Matthys
Security and software eng...@vu...
Website:www.vulnscan.org
PGP key:www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB 04A7 6E67 6D45 7FE1 99A6
|
