OpenSSL/LibreSSL security issues affecting UnrealIRCd (May 3, 2016)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1815
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

OpenSSL/LibreSSL security issues affecting UnrealIRCd (May 3, 2016)

Post by Syzop » Tue May 03, 2016 5:02 pm

OpenSSL/LibreSSL security issues

Summary: if you have SSL enabled in UnrealIRCd then please upgrade your OpenSSL/LibreSSL libraries (*NIX) or download the new installer (Windows only).

Two high impact vulnerabilities were found in OpenSSL and LibreSSL.

CVE-2016-2107 is described as follows: A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. Note that to exploit this an attacker needs to be able to intercept & modify packets between the client and server. See the OpenSSL security advisory for technical details (note that CVE-2016-2107 is the 2nd issue in the advisory).

When UnrealIRCd is compiled with SSL/TLS support it uses the OpenSSL/LibreSSL library and is therefore affected by this issue. This affects +/- 50% of the UnrealIRCd installations out there.

Details on another vulnerability, CVE-2016-2108, were also published. That issue allows one to crash the server and may potentially allow remote code execution. However, the issue was already fixed a year ago in OpenSSL 1.0.2c. It was simply unknown to the OpenSSL folks at the time that the fix they made fixed a serious security issue. Again, see the OpenSSL security advisory for details. Specifically for UnrealIRCd it means that for this latter issue (CVE-2016-2108) Windows SSL versions of 3.2.10.5 and before are affected. The 3.2.10.6 Windows SSL version is not affected (it used OpenSSL 1.0.2e), but you probably still want to upgrade anyway because it's still vulnerable to the first issue (CVE-2016-2107).

Linux/*BSD/OS X
You are only unaffected if you are using UnrealIRCd 3.2.x and you did not compile with SSL support. This question is asked during ./Config: Do you want to support SSL (Secure Sockets Layer) connections? If you answered No then you are unaffected. If you answered Yes then you are affected.
UnrealIRCd 4.0.x always uses SSL/TLS so is always affected.

UnrealIRCd itself does not ship with OpenSSL/LibreSSL. Please use your distro tools to upgrade your SSL libraries (yum, apt-get, etc.). After upgrading the libraries you will have to restart UnrealIRCd. The same is true for other daemons using OpenSSL/LibreSSL by the way: apache, exim, etc.

Windows
UnrealIRCd 4.0.x (all versions) and UnrealIRCd 3.2.x (SSL versions) ship with vulnerable OpenSSL/LibreSSL. The downloads have therefore been replaced:
  • New versions of UnrealIRCd 4.0.3: The installer identifies itself as 4.0.3-SSL-sslfix. Other than that UnrealIRCd is exactly the same and the IRCd reports as 4.0.3 on IRC.
  • New versions of UnrealIRCd 3.2.10.6: The installer will identify itself as 3.2.10.6-sslfix. Other than that UnrealIRCd is exactly the same and the IRCd reports as 3.2.10.6 on IRC.
Note that this means that a regular user on IRC cannot judge from the UnrealIRCd version number (shown on IRC) if a server is vulnerable or not. This is exactly the same as on *NIX. See also next.

How to check which OpenSSL/LibreSSL version is in use
Important: Checking the SSL library version on *NIX isn't really useful. The reported library version is often an older OpenSSL version while in fact the libraries have been upgraded and you are safe. So just upgrade your OpenSSL or LibreSSL package as per your distro's advice, restart the IRCd and assume the upgrade succeeded.

As an IRCOp you can issue the /VERSION command (or /QUOTE VERSION). This should output something like this:

Code: Select all

UnrealIRCd-4.0.3. irc.server.net FhinW6OoErM [Microsoft Windows 7  Service Pack 1 (build 7601)=4000]
-irc.server.net- LibreSSL 2.3.4
-irc.server.net- libcurl/7.48.0 LibreSSL/2.0.0 c-ares/1.11.0
The line with LibreSSL 2.3.4 (or OpenSSL x.y.z) is what you should be looking for. Ignore any lines containing libcurl.
Fixed versions are: OpenSSL 1.0.2h and LibreSSL 2.3.4
Be sure to run this command as an IRC Operator, otherwise the SSL library version number is not shown.
Are you sure you run as an IRC Operator and you see the UnrealIRCd version but not the OpenSSL/LibreSSL lines? Then SSL is not enabled on your server and you are unaffected (this is only possible on 3.2.x).

TIP: You can also use /VERSION remote.server.name to query remote servers. Again, you have to be an IRC Operator to get meaningful results.

Final words
As always, you can download UnrealIRCd from www.unrealircd.org.

Post Reply