UnrealIRCd 4.0.5 released (Security fixes)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1784
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

UnrealIRCd 4.0.5 released (Security fixes)

Post by Syzop » Thu Jul 28, 2016 1:51 pm

Hi everyone,

UnrealIRCd 4.0.5 has been released today. We recommend everyone to upgrade to this version in the next few days as it fixes some serious issues:
  • Fix crash issue (read-after-free)
  • Prevent flood from unknown connection
  • Bans on IPv6 cloaked hosts had no effect
These issues affect all 4.0.x versions until now.

Issue details
The crash is rare under normal circumstance. However, it is possible to trigger the crash remotely on-purpose if you know how.
The crash issue has a CVSS score of 7.5 (High): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/RC:C

The "unknown connection flood" issue allows an attacker to consume IRCd resources. We have an "unknown flood" protection mechanism which was supposed to kick in and kill the user, but it didn't do this in time.
The unknown connection flood issue has a CVSS score of 5.3 (Medium): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/RC:C

Finally, the IPv6 ban bug is an obvious mistake. Bans on nick, ident, hosts, IPv4 real IP's, IPv6 real IPs, vhosts, etc.. all work.. but bans on IPv6 cloaked hosts do not (*!*@XXXXXXX:YYYYYYY:ZZZZZZZ). If you ban a user with such a mask, they can still (re)join and speak. If you ban a user with such a mask, they can still (re)join and speak. You can temporarily work around this bug by replacing the colons with questionmarks (+b *!*@XXXXXXX?YYYYYYY?ZZZZZZZ).

Q&A
Have there been any reports of this bug being abused by anyone?
We have had no reports of the crash or flood bug being abused by anyone. However, we recommend everyone to upgrade somewhere in the next coupe of days.

Should I upgrade?
Yes.

Are there any workarounds so I don't have to upgrade?
For the IPv6 ban bug on cloaked hosts there's a workaround, see Issue details above. For the other bugs there is no workaround available.

Can I upgrade without restarting the IRC server?
No. Although a lot of UnrealIRCd is modularized. These bugs are located in the "core", which cannot be upgraded without a restart.

When where these issues reported?
The IPv6 ban issue was reported yesterday. The crash issue was reported before but the cause of it was very hard to trace. It was finally traced and fixed today. The flood issue was found recently during our own tests. We decided to bundle it with the other two fixes.

How serious are these bugs?
See the Issue details above. These include CVSS scores.

Download
As always, you can download UnrealIRCd from www.unrealircd.org.

Post Reply