Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security: DoS issue in UnrealIRCd 3.2.9 Windows SSL version

Post by Syzop »

SECURITY ADVISORY
==================

A serious issue has been found in the Windows SSL versions of UnrealIRCd 3.2.9 and 3.2.10-rc1. This issue allows someone to remotely crash the server.

Admins of affected systems should upgrade immediately.

Note that only Windows versions with SSL support are affected.

==[ AFFECTED VERSIONS ]==
Vulnerable versions:
* 3.2.9 on Windows with SSL support
* 3.2.10-rc1 on Windows with SSL support
Not vulnerable:
* 3.2.9 and 3.2.10-rc1 on *NIX (Linux, FreeBSD, ..)
* 3.2.9 and 3.2.10-rc1 on Windows without SSL support
* 3.2.9-winsslfix and 3.2.10-rc1-winsslfix
* 3.2.8.1 and earlier

If you are unsure which version you are using, then follow this procedure:
Type /VERSION on IRC (on some clients you might have to type /QUOTE VERSION)
This should return a string like:
Unreal3.2.9. server.name FhinWXeOoZE
This contains the version number, the server name, and the compile flags.
You are vulnerable if ALL these three conditions are met:
* The version is 'Unreal3.2.9' or 'Unreal3.2.10-rc1'
* The compile flags contain a 'W' (this means you're on Windows)
* The compile flags contain a lower case 'e' (this means you're using the SSL version)

Fixed Windows SSL versions can be identified by having 'winsslfix' in their version name.

==[ SHOULD I UPGRADE? ]==
If you are using any of the vulnerable versions then you should upgrade immediately as this is a serious issue.
Unfortunately there are no mitigating factors: even if you don't actually use SSL, or if you have password-protected your server or hub, then you are still vulnerable to this particular attack.

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from:
http://www.unrealircd.com/

There's no update for *NIX or the non-SSL Windows version, as these are safe and thus do not require any update.

==[ IMPACT ]==
This issue will result in a direct server crash.
There's no possibility to execute any code, nor is there any information disclosure.

==[ CVSS ]==
CVSS v2.0 report:

Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

Access Vector: Network
Access Complexity: Low
Authentication: None

CVSS Base Score: 7.8

Availability of exploit: Proof of concept code[*]
Type of fix available: Official fix

CVSS Temporal Score: 6.1

[*] Proof of concept / exploit is currently not public. This is expected to change soon after the release of this security bulletin.

==[ TIMELINE ]==
Times are in UTC
2012-11-11 19:20 Bug reported
2012-11-12 11:03 Bug confirmed by developer
2012-11-12 11:22 Bug traced, fix available
2012-11-12 13:45 Fixed versions compiled and packaged
2012-11-12 14:00 Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsec ... 121112.txt
Post Reply