Security: DoS in OpenSSL affecting UnrealIRCd (again)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security: DoS in OpenSSL affecting UnrealIRCd (again)

Post by Syzop »

The OpenSSL project team sent out a security advisory regarding several security issues that were found in the OpenSSL library.
The OpenSSL library is used by UnrealIRCd when you compiled with SSL support.

Most of the reported bugs result in a server crash or hang: the attacker sends some bad data and the IRC daemon will crash or hang.
One other issue is a possible 'SSL downgrade' attack called "Logjam" which could make SSL/TLS connections easier to crack (decrypt), but only if the attacker has access to the network path between the client and the server.

The OpenSSL development team says there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

==[ WINDOWS USERS ]==
Almost all Windows users download our binaries. All Windows SSL binaries until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1 (Windows)
* Unreal3.4-alpha2 (Windows)
* Unreal3.4-alpha3 (Windows)
* Older Windows SSL versions are (very) likely affected as well

Unaffected:
* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix2 (version shown by installer)
* Unreal3.4-alpha3-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install). This is often not needed, but is sometimes necessary. If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

==[ HOW TO CHECK IF YOU ARE VULNERABLE ]==
On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or
'/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:

Code: Select all

-server.test.net- OpenSSL 1.0.2b 11 Jun 2015
Version 1.0.2b means you're good.

If you see 1.0.0 with a version lower than 1.0.1s,
or 1.0.1 with a version lower than 1.0.1n,
or 1.0.2 with a version lower than 1.0.2b,
then you are possibly vulnerable, see next version.

If you see no such line at all, and again.. you are sure you are IRCOp, then it means the server does not have SSL support (no OpenSSL in use). You're safe.

TIP: You can also check remote servers, again only if you are IRCOp, by '/VERSION remote.server.name' or '/QUOTE VERSION remote.server'

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from https://www.unrealircd.org/
The installers have a filename like 'Unreal3.2.10.4-SSL-fix2.exe' and 'Unreal3.4-alpha3-fix.exe'
After installation, you see no change in UnrealIRCd version number. This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block 'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up.
Did you already follow these instructions and you still see an old version in use? Even after you restarted UnrealIRCd?
On several Linux distro's this is pretty common as vendors routinely backport security fixes without bumping the version number. So if you are on Linux, then after you followed the 4 steps mentioned in '*NIX USERS' then you more or less have to trust your vendor (and yourself).
NOTE: At the time this security advisory was sent, the OpenSSL security advisory has only been out for an hour or so, so your distro may not have a new OpenSSL version available yet!

==[ ADDITIONAL NOTES ]==
If you are running an UnrealIRCd server with SSL support (OpenSSL) and the OpenSSL version is vulnerable. Then if at least one port is reachable for the attacker it can be attacked. It doesn't matter if this is an SSL or non-SSL port and whether you have restrictive allow { } blocks or not. In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-06-11 14:45 OpenSSL security announcement
2015-06-11 15:33 Downloads replaced
2015-06-11 16:00 Security announcement

==[ LINKS ]==
This advisory (and updates to it, if any) is posted to:
https://www.unrealircd.org/txt/unrealse ... 150611.txt

The OpenSSL security advisory can be found on:
https://www.openssl.org/news/secadv_20150611.txt
Post Reply