Security: DoS in OpenSSL affecting UnrealIRCd

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1727
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security: DoS in OpenSSL affecting UnrealIRCd

Post by Syzop » Thu Mar 19, 2015 8:23 pm

Several security issues were found in the OpenSSL library. The OpenSSL library is used by UnrealIRCd if you compiled with SSL support.

At least one issue is a server crash: the attacker sends some bad data and the IRC daemon will crash.

As far as we know there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.4-alpha1 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install). This is often not needed, but is sometimes necessary. If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or '/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
[18:40:06] -server.test.net- OpenSSL 1.0.1m 19 Mar 2015

Version 1.0.1m means you're good.

If you see anything lower than 1.0.1m, such as "1.0.1h" then you are possibly vulnerable, see next section.

If you see no such line at all, and again.. you are sure you are IRCOp, then it means the server does not have SSL support (no OpenSSL in use). You're safe.

TIP: You can also check remote servers, again only if you are IRCOp, by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix.exe' and 'Unreal3.4-alpha1-fix.exe'
After installation, you see no change in UnrealIRCd version number. This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block 'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up. Did you already follow these instructions and you still see an old version in use? Even after you restarted UnrealIRCd? On several Linux distro's this is pretty common as vendors routinely backport security fixes without bumping the version number. So if you are on Linux, then after you followed the 4 steps mentioned in '*NIX USERS' then you more or less have to trust your vendor (and yourself).

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and the OpenSSL version is vulnerable. Then if at least one port is reachable for the attacker it can be attacked. It doesn't matter if this is an SSL or non-SSL port and whether you have restrictive allow { } blocks or not.

In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-03-19 14:12 OpenSSL security announcement
2015-03-19 17:57 Downloads replaced
2015-03-19 20:15 Security announcement

==[ SOURCE ]==

This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsec ... 150319.txt

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest