Crash issue in UnrealIRCd: apply hot fix ASAP or upgrade to 4.0.15

News about the UnrealIRCd project, including release announcements
Post Reply
UnrealIRCd head coder
Posts: 2110
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Crash issue in UnrealIRCd: apply hot fix ASAP or upgrade to 4.0.15

Post by Syzop »

All UnrealIRCd versions up to and including 4.0.14 can be crashed by a remote user. It is a crash only. Remote code execution is not possible.
There are actually two bugs. One of them can be triggered before the user is fully connected (so this also affects hubs and password-protected servers). The other bug requires a fully connected client to trigger.
Credit goes to Joseph Bisch for finding the first bug. The other bug was found internally after doing similar testing.

We have released UnrealIRCd 4.0.15 which addresses this issue. There is also a "hot fix" available so you can patch your server without requiring an UnrealIRCd restart. See How to get the fix/patch? below.

Note for UnrealIRCd 3.2.x users:

It was reported that UnrealIRCd 3.2.x is also affected. However the 3.2.x series are deprecated and no longer maintained. We announced back in 2015 that all support, including security fixes, would stop for 3.2.x after the year 2016.
If you are still running 3.2.x you should really upgrade to UnrealIRCd 4. Upgrading is not hard, see the Upgrading from 3.2.x wiki article.
It seems 3.2.x is only affected by the first issue and the patch is identical. Therefore, for 3.2.x users on *NIX the patch script below should work as well. However, no warranty is provided and this is the last time such a fix is available. Upgrade to UnrealIRCd 4.x! We already gave you two years of time.

How to get the fix/patch?
Windows users should install UnrealIRCd 4.0.15.
Linux/BSD/.. users can also install 4.0.15 OR you can choose to patch UnrealIRCd on-the-fly without a restart.
Since the patch is usually the easiest and most user friendly solution, we recommend it.
Run the following on the IRC shell (be sure to do this under the correct user account and not as root):

Code: Select all

wget && sh ./20171001patcher
Have there been any reports of these bugs being abused by anyone?
Not yet. But the issue is easy to trigger, so don't wait for it.

Should I upgrade?
Yes. You should upgrade or install the hot-fix as soon as possible.

Are there any workarounds so I don't have to upgrade?
For UnrealIRCd 4.0.x on *NIX you can use the hot fix / patch so you don't need to restart.

Can I upgrade without restarting the IRC server?
With UnrealIRCd 4.0.x on Linux/BSD/.. yes. Run the following on the shell:

Code: Select all

wget && sh ./20171001patcher
I don't like the patch script. How I can fix this by hand?
If, for whatever reason, you don't want to use the simple patch script from above then you can download instead.
Extract it somewhere and look at the contents. Among other things it contains two .patch files. Apply the patches (note that the 20171001.2nd.patch is for 4.0.x only), recompile and rehash your UnrealIRCd.
This is exactly the same as the patch script would do.

More information about the bug
There are two bugs:
  • There's a handshake bug can be triggered before the user is fully connected. This allows a user to crash an UnrealIRCd server, even those with restrictions such as password protected hubs. This one has a CVSSv3 score of 7.5 (High): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • The other bug requires the client to fully connect, join a channel and have chanops. This one has a CVSSv3 score of 6.5 (Medium): CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Both issues are caused by dereferencing a NULL pointer. Remote code execution through these bugs is not possible.

Time line
Both issues were fixed within 24 hours:
2017-09-30 17:42 Handshake crash issue reported by Joseph Bisch
2017-09-30 18:15 Issue confirmed
2017-09-30 19:00 Started looking for similar issues
2017-10-01 00:31 Preannouncement of the security issue (via Twitter and UnrealIRCd forums)
2017-10-01 03:30 Additional security issue found internally after running similar tests
2017-10-01 15:00 Security advisory, fixed version and patch published
All date and times are in UTC

Updates to this advisory
Small corrections/updates will be posted here in this thread, if any.
Post Reply