Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security: SASL security issue (UnrealIRCd 4.0.6 & 3.2.10.7 released)

Post by Syzop »

A security issue was detected in a number of IRCd's, including UnrealIRCd, regarding the way SASL is implemented.
If you use services and have SASL enabled (you need to do this explicitly) then you should patch or upgrade as soon as possible.
While this only affects 2% of our userbase, for those networks which are affected this is a very serious issue. If you are affected you can upgrade to one of the new UnrealIRCd releases or you can upgrade their existing UnrealIRCd without a restart (see below)

UPDATE: You can use our online security check to see if your server is vulnerable or not!

Note that releases and this security announcement have been made in a hurry. Details on this issue are already available online at other websites.

Issue details
An attacker can send an SSL fingerprint of his choice to services when doing SASL authentication. An attacker can compromise a services account if the user has an SSL fingerprint stored in services.

How to check if you are affected (how do I know if I use SASL?)
You are only affected if ALL of the following 3 conditions are true:
  • SASL is enabled in UnrealIRCd: check if set::sasl-server is set to a valid server
  • Your services support SASL (eg: anope)
  • Your services support SSL fingerprint authentication (eg: anope)
How to get the fix/patch?

Windows users should download and install UnrealIRCd 4.0.6 or 3.2.10.7.

Linux/BSD/.. users can also install 4.0.6 / 3.2.10.7 OR you can choose to patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we recommend it.
Run the following on the IRC shell:

Code: Select all

wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
Q&A
Have there been any reports of these bugs being abused by anyone?
We don't know. It sounds likely, the issue is very easy to exploit.

Should I upgrade?
If you use SASL authentication then yes you should definitely upgrade. If you do not have SASL enabled then there is no need to upgrade at this time, this is true for most of our users (98%).

Are there any workarounds so I don't have to upgrade?
As a very quick workaround you could disable SASL entirely by removing the set::sasl-server setting and rehashing the IRCd.
You could also disable SASL at the services level. For anope you do this by unloading the m_sasl module (in anope).

Can I upgrade without restarting the IRC server?
On Windows no, but on Linux/BSD/.. yes you can. Run the following on the shell:

Code: Select all

wget http://www.unrealircd.org/patch/saslpatcher && sh saslpatcher
How serious are these bugs?
See the Issue details above. If you are affected then all user accounts with an SSL fingerprint for authentication can be compromised.

I don't trust the patch script. Where can I download a .patch or unidiff?
https://github.com/unrealircd/unrealirc ... 4a766.diff

When was this issue reported?
We received an email regarding this issue, but by the time it was read (90 minutes later) details were already published online. This UnrealIRCd release, patch and security announcement were thus made in a hurry and were sent out 2 hours later.
Post Reply