Security advisory: SSL Heartbeat issue & UnrealIRCd

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security advisory: SSL Heartbeat issue & UnrealIRCd

Post by Syzop »

UPDATE: We now suggest you to replace your SSL certificate&keys if you are affected by this bug. Also, some information has been updated regarding the (actual) proven danger of this attack.

A serious issue in OpenSSL was reported yesterday, the so called 'Heartbleed' bug (CVE-2014-0160).
This bug is very serious because it gives remote users the ability to read highly sensitive data from memory. This may very well include private SSL keys, passwords, etc.

There's a lot of media attention regarding this bug, and a lot of attention from hackers. An exploit has been available for this bug for some time, although it is unknown for how long, in any case before the security advisory from OpenSSL was sent out an exploit was already available. The issue itself exists in OpenSSL since March 2012.

I have personally tested an exploit that worked on UnrealIRCd after modifications, this indeed revealed memory on remote UnrealIRCd servers, including OpenSSL data and even some short phrases of text said by other users. This bug is very real and just to be clear: it works on any vulnerable SSL-capable server, not just UnrealIRCd. In fact, it's not limited to SSL IRC only, programs like apache and exim and any other SSL services are also affected.

UNREALIRCD & HEARTBLEED
UnrealIRCd uses the OpenSSL library for all it's SSL/TLS functionality. So if you are using an UnrealIRCd version with SSL support then you may be vulnerable to this serious security issue.

Note that even if you are not actively using SSL/TLS, even if you have no SSL listen ports, just the simple fact that you COMPILED WITH OpenSSL support means you may be affected.

Even if your server is completely password protected, like a hub. Even then, if you are running a vulnerable version of OpenSSL then you are still affected.

HOW TO CHECK IF YOU ARE USING OPENSSL AND WHICH VERSION
Windows users who already know they are using the SSL version of UnrealIRCd can take a shortcut here: UnrealIRCd 3.2.9-SSL and later on Windows are all vulnerable, skip directly to 'I AM VULNERABLE - WHAT TO DO?'.

Best way to check if you are vulnerable is to execute /VERSION as an IRC Operator (IRCOp) on your server and verify the OpenSSL version.

As IRCOp you can also check other servers for OpenSSL on your network by using: /VERSION [remote server name]

This should output the UnrealIRCd version (eg: Unreal3.2.10.2) and some more:

1) If you have SSL enabled then you will see something like:
[17:58:04] -serv.er.name- OpenSSL A.B.Cd [Some Date]
Continue reading under 'I AM USING SSL - AM I VULNERABLE?'...

2) If you are an IRCOp, you did /VERSION, and you did not see any line with 'OpenSSL' in it, then this means OpenSSL support is not compiled in and you are safe. You don't need to take any action and can stop reading.

Note that if you are NOT an IRCOp then no OpenSSL version information will be displayed. Therefore it's important you execute the /VERSION command as IRCOp.

I AM USING SSL - AM I VULNERABLE?
The following OpenSSL versions have the security issue:
* 1.0.1 up to and including 1.0.1f (so: 1.0.1a, 1.0.1b, etc..) -- there's a catch, see the red note later on in this document
* 1.0.2-beta1

The following versions are safe:
* Any version before 1.0.1, so 1.0.0x or 0.9.8etc...
* 1.0.1g (which has just been released on April 7, 2014)

If you are using any such 'safe' version, then you don't need to take any action.

I AM VULNERABLE - WHAT TO DO?
If you are indeed using 1.0.1-1.0.1f then you are affected by this security issue.

There are two steps you need to take:

1a. Windows
Simply re-download the package from http://www.unrealircd.com/
The installer will show 'Unreal3.2.10.2-SSL with Heartbeat fix', and once installed you will see (by using /VERSION as IRCOp) the OpenSSL version is 1.0.1g.

1b. Linux / *NIX
Update your system the usual way. This depends on your OS and distribution.
On Debian/Ubuntu it's 'apt-get update; apt-get upgrade', while on Redhat-based systems 'yum' is used, etc...
If you don't have root on your system, consult your (shell) provider.

You normally don't need to recompile UnrealIRCd. But once you installed an updated version of OpenSSL you must RESTART UnrealIRCd. A simple /REHASH is not sufficient.
After UnrealIRCd has been restarted, verify that your OpenSSL version is indeed safe now. You can see the OpenSSL version in the boot screen of ./unreal start, or check it by running /VERSION as IRCOp as mentioned earlier.
NOTE: Unfortunately distros like Debian and Ubuntu didn't update the OpenSSL version number. So even after an upgrade, it will still show an 'old version'. After you upgraded the openssl package and restarted the IRCd you'll have to assume that you're safe.

2. Create a new certificate & keypair
Because this bug potentially can expose your private SSL key, and the exploit leaves no traces, it is possible that a remote user was able to retrieve your private SSL key and can decrypt all your server traffic. Since there's no way of telling whether this has happened, it's best to err on the side of caution and create a new SSL certificate & keys. Of course, you should only do this AFTER you upgraded your server.

Windows: Start -> Programs -> UnrealIRCd -> Make Certificate
*NIX: Run 'make pem' in your Unreal3.2.x directory. After that use 'make install' if you installed UnrealIRCd in a different directory.

After that, run /REHASH -ssl as an IRCOp to have the new certificate & keys loaded.
So while you WILL need to restart UnrealIRCd after an OpenSSL version upgrade (as explained earlier), for reloading the certificate/keys no restart is necessary, and you can just use this command.

TIMELINE
[2014-04-07 18:39 GMT] OpenSSL Security advisory
[2014-04-08 15:39 GMT] UnrealIRCd windows download replaced
[2014-04-08 16:55 GMT] UnrealIRCd advisory e-mail sent out
[2014-04-09 11:54 GMT] Advisory updated with regards to actual exploit information & advice to regenerate SSL cert/keys
TheSnowedOne
Posts: 0
Joined: Wed Apr 09, 2014 4:39 pm

Re: Security advisory: SSL Heartbeat issue & UnrealIRCd

Post by TheSnowedOne »

I would note for distros like Debian and Ubuntu you can check if your version has been patched by checking the build date of openssl. You can do this with the following command:

root@someserver:~# openssl version -b
built on: Mon Apr 7 21:22:23 UTC 2014
root@someserver:~#

Patched openssl libraries on these platforms will have a build date over April 7 2014 or after.
ohnobinki
UnrealIRCd coder
Posts: 6
Joined: Mon Aug 03, 2009 1:54 am
Location: Middle Earth
Contact:

Re: Security advisory: SSL Heartbeat issue & UnrealIRCd

Post by ohnobinki »

I would also like to note that as long as unrealircd is linking against a fixed version of openssl provided by your distro (you updated the openssl package and have since restarted unrealircd), you should be fine (unless if you statically linked unrealircd against openssl). Unfortunately, the version of openssl displayed in /VERSION is merely the OPENSSL_VERSION_TEXT constant from the openssl headers from when unrealircd was compiled. Thus, if you drop in a replacement openssl shared object that unrealircd links against, unrealircd will continue displaying the version it was compiled against even if it is really running against a different OpenSSL version. This means two things: if /VERSION displays a safe version of OpenSSL, that doesn’t mean that the openssl library UnrealIRCd is linked against is necessarily safe. And the other way around: if /VERSION displays an unsafe version of OpenSSL after you have updated the library in the system and restarted UnrealIRCd, UnrealIRCd may actually be linking against a safe version of the library. Just double check which exact libssl.so unrealircd is linking against with ldd and check with your package manager that it is a safe version. In most cases, TheSnowedOne’s suggestion of querying the “openssl” CLI tool will also give you the correct results.

E.g., on Gentoo. You probably want to replace $(which unrealircd) with src/ircd or bin/ircd or the path to your unrealircd executable:

Code: Select all

ohnobinki@ohnopublishing ~/unreal-hg $ ldd $(which unrealircd) | grep -e libssl
        libssl.so.1.0.0 => /usr/lib64/libssl.so.1.0.0 (0x00007f41153f9000)
ohnobinki@ohnopublishing ~/unreal-hg $ qfile -v /usr/lib64/libssl.so.1.0.0
dev-libs/openssl-1.0.0j (/usr/lib64/libssl.so.1.0.0)
And, obviously, that particular install of unrealircd is unaffected by heartbleed because it’s linked against an ancient openssl (1.0.0j) (who knows, maybe that version has other security problems—I’m upgrading it to 1.0.1g for starters anyway).

Unless if the service has died, you can also use this random online tool to check your install for heartbleed. Just specify your pure SSL listen port: http://filippo.io/Heartbleed/#irc2.unrealircd.org:6697
Keanu73
Posts: 0
Joined: Thu Apr 10, 2014 3:49 pm

Re: Security advisory: SSL Heartbeat issue & UnrealIRCd

Post by Keanu73 »

Is 1.1.0-dev vulnerable?
katsklaw
Posts: 1124
Joined: Sun Apr 18, 2004 5:06 pm
Contact:

Re: Security advisory: SSL Heartbeat issue & UnrealIRCd

Post by katsklaw »

Keanu73 wrote:Is 1.1.0-dev vulnerable?

I would assume not. They would patch it at the same time as they would their stable versions.
Post Reply