[Unreal-users] Security advisory: OpenSSL issue affects UnrealIRCd
Status: Beta
Brought to you by:
wildchild
Menu
▾
▴
[Unreal-users] Security advisory: OpenSSL issue affects UnrealIRCd
|
From: Bram M. (Syzop) <sy...@un...> - 2006-09-29 20:16:24
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NOTE: This security advisory is only relevant to people who have SSL
support enabled in their IRCd. If unsure, just read on.
SUMMARY
========
Yesterday, OpenSSL released a security advisory[1], stating that
multiple security bugs have been fixed. Most of these are DoS (Denial of
Service) issues. In this case it means an attacker could make the IRCd
eat up huge amounts of CPU and/or memory, effectively freezing the IRCd.
This is a bug in the OpenSSL library we use, not in the IRCd.
But, the UnrealIRCd team is:
A) Releasing a new Win32-SSL version to fix this issue (shipping with
updated OpenSSL DLL's)
..and at the same time..
B) Warning the public that this bug impacts UnrealIRCd servers
(just like it impacts apache-ssl, and any other programs relying on
OpenSSL)
HOW TO CHECK IF YOU ARE VULNERABLE
===================================
All IRC commands below should be executed as an IRCOp.
STEP ONE
- ---------
To check if you have any open SSL ports you do '/STATS P' (upcase 'P',
so *NOT* '/STATS p'). This will show something like:
*** Listener on ....:...., clients ... is PERM SSL
(multiple lines might be outputted)
If any of these lines have the word 'SSL' in it, then you have SSL
enabled. Go to STEP TWO.
If all lines are without 'SSL' (eg: only '.. is PERM') then you are
generally not at risk. If you're extremely paranoid then you can still
upgrade, of course. There's a small risk if you are using SSL for
outgoing server connections (link blocks). Personally I wouldn't bother
doing an IRCd restart for that, but that's up to each admin to decide.
If it didn't show any lines with 'Listener on' in it, then you did
something wrong.
NOTE: If ANY listener is 'SSL' then you could be vulnerable (go to next
step). It doesn't matter whether the port is 'seversonly' or not. The
bug can be triggered before being registered.
STEP TWO
- ---------
To check out which OpenSSL version UnrealIRCd is using, you do
'/VERSION' on IRC as an IRCOp. You will then get a notice like:
- -server.somenet.net- OpenSSL 0.9.7e 25 Oct 2004
OpenSSL has two series, 0.9.7* and 0.9.8*. The particular bugs we are
talking about have been fixed in both series in:
* OpenSSL 0.9.7l (and later)
* OpenSSL 0.9.8d (and later)
Windows users: if it shows anything other than these versions, then you
are vulnerable, continue to HOW TO FIX.
Unix users: if it shows any of the versions of above, then you are safe.
If it shows an older version, then you could be vulnerable. The problem
with checking version numbers is that many *NIX distributors are
backporting fixes (which is generally a good idea btw), the consequence
of this is that bugs are fixed but the version number is not updated.
See HOW TO FIX.
HOW TO FIX
===========
Windows users:
Go to http://www.unrealircd.com/?page=downloads and (re)download the
Unreal3.2 (Win32-SSL) version. When running the installer, the first
screen will show 'Unreal3.2.5 (w/openssl0.9.8d)' so you can easily see
it's the updated version. To verify for sure, see VERIFYING THE FIX.
*NIX users:
Check out your distributor to see if a fixed package is available, and
how to verify it is installed.
After the fix is installed, you will have to restart your IRC server.
VERIFYING THE FIX
==================
To verify that the fix is installed, you can check out '/VERSION' as an
IRCOp on IRC again. For windows users it should show '0.9.8d'. For *NIX
users, it might not show that even if the fix is installed, as mentioned
ealier, use other means to verify the fix is installed (again, consult
the security advisory of your distributor).
REFERENCES
===========
[1] OpenSSL security advisory:
http://www.openssl.org/news/secadv_20060928.txt
[2] This security advisory:
http://www.unrealird.com/txt/unreal325sslfix.txt
- --
Bram Matthys
Software developer/IT consultant sy...@vu...
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2
- --
Bram Matthys
Software developer/IT consultant sy...@vu...
PGP key: www.vulnscan.org/pubkey.asc
PGP fp: 8DD4 437E 9BA8 09AA 0A8D 1811 E1C3 D65F E6ED 2AA2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFFHX8S4cPWX+btKqIRAiLyAKC9jmma+LVTwz3hmvUSvr1N/NPhSQCcCJu6
nB+FusMOdFLkosGJxjDqtC8=
=yX2/
-----END PGP SIGNATURE-----
|
