Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

News about the UnrealIRCd project, including release announcements
Post Reply
UnrealIRCd head coder
Posts: 1935
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

Post by Syzop » Mon Nov 12, 2012 2:07 pm


A serious issue has been found in the Windows SSL versions of UnrealIRCd 3.2.9 and 3.2.10-rc1. This issue allows someone to remotely crash the server.

Admins of affected systems should upgrade immediately.

Note that only Windows versions with SSL support are affected.

Vulnerable versions:
* 3.2.9 on Windows with SSL support
* 3.2.10-rc1 on Windows with SSL support
Not vulnerable:
* 3.2.9 and 3.2.10-rc1 on *NIX (Linux, FreeBSD, ..)
* 3.2.9 and 3.2.10-rc1 on Windows without SSL support
* 3.2.9-winsslfix and 3.2.10-rc1-winsslfix
* and earlier

If you are unsure which version you are using, then follow this procedure:
Type /VERSION on IRC (on some clients you might have to type /QUOTE VERSION)
This should return a string like:
Unreal3.2.9. FhinWXeOoZE
This contains the version number, the server name, and the compile flags.
You are vulnerable if ALL these three conditions are met:
* The version is 'Unreal3.2.9' or 'Unreal3.2.10-rc1'
* The compile flags contain a 'W' (this means you're on Windows)
* The compile flags contain a lower case 'e' (this means you're using the SSL version)

Fixed Windows SSL versions can be identified by having 'winsslfix' in their version name.

If you are using any of the vulnerable versions then you should upgrade immediately as this is a serious issue.
Unfortunately there are no mitigating factors: even if you don't actually use SSL, or if you have password-protected your server or hub, then you are still vulnerable to this particular attack.

New Windows SSL versions are available from:

There's no update for *NIX or the non-SSL Windows version, as these are safe and thus do not require any update.

==[ IMPACT ]==
This issue will result in a direct server crash.
There's no possibility to execute any code, nor is there any information disclosure.

==[ CVSS ]==
CVSS v2.0 report:

Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

Access Vector: Network
Access Complexity: Low
Authentication: None

CVSS Base Score: 7.8

Availability of exploit: Proof of concept code[*]
Type of fix available: Official fix

CVSS Temporal Score: 6.1

[*] Proof of concept / exploit is currently not public. This is expected to change soon after the release of this security bulletin.

==[ TIMELINE ]==
Times are in UTC
2012-11-11 19:20 Bug reported
2012-11-12 11:03 Bug confirmed by developer
2012-11-12 11:22 Bug traced, fix available
2012-11-12 13:45 Fixed versions compiled and packaged
2012-11-12 14:00 Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to: ... 121112.txt

Post Reply