UnrealIRCd and the recent OpenSSL advisory (CVE-2021-3449)

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 1973
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

UnrealIRCd and the recent OpenSSL advisory (CVE-2021-3449)

Post by Syzop »

Hi everyone,

Today, the OpenSSL project issued a security advisory: "NULL pointer deref in signature_algorithms processing (CVE-2021-3449)".
It basically means most SSL/TLS servers on the Internet can be crashed. Other than crashing the server no damage can be done (no execution of code). The bug description is very clear so personally I expect exploits to be published soon, today or tomorrow, that will allow malicious people to crash SSL/TLS servers (apache, nginx, etc).
This also means an attacker can crash UnrealIRCd. And, as we all know, crashing an IRC server can be quite troublesome, since it means everyone disconnects and a lot of text/havoc on the screen.

We highly recommend to upgrade the OpenSSL package on your system/distro. Consult your system/distro security announcements and documentation for how to do so.

After upgrading OpenSSL you would have to restart UnrealIRCd to fix the crash bug. It cannot be fixed with a /REHASH. Only a restart will cause it to load the (upgraded) OpenSSL library.
Or, alternatively, don't do the restart and risk an attacker crashing it once, and then let a cron job bring it back up a few minutes later with the fixed openssl. Of course, an evil guy may crash all your servers at once at some inconvenient time, so whether that is a good idea or not is up to you. The choice is yours.

There is technically no need to recompile UnrealIRCd. But, if you are restarting UnrealIRCd anyway, then maybe you could consider upgrading UnrealIRCd at the same time to latest version (5.0.9 as we speak), to kill two birds with one stone. But, again, this is not required!

UnrealIRCd itself does not ship with any openssl code so there will be no fixed source code release.
The only binary releases we have that uses an SSL library is the Windows one. Currently it is unknown if it is affected by the bug as it uses libressl instead of openssl. We will do a new windows release if libressl does a security announcement somewhere in the next few days.

Please do not contact us for help with configuring or upgrading your OpenSSL. This is not our code, we are simply using this library just like most SSL/TLS programs out there.

Regards,

Bram Matthys (Syzop)
CrazyCat
Posts: 130
Joined: Thu Apr 28, 2005 1:05 pm
Location: France
Contact:

Re: UnrealIRCd and the recent OpenSSL advisory (CVE-2021-3449)

Post by CrazyCat »

Thanks for the advisory, Syzop.
I didn't read las news about SSL, but I'll update my servers as soon as possible.
Lord255
Posts: 67
Joined: Sat Feb 29, 2020 12:58 am
Location: offline

Re: UnrealIRCd and the recent OpenSSL advisory (CVE-2021-3449)

Post by Lord255 »

mhm.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.
https://packages.ubuntu.com/search?keyw ... ection=all
1.1.1f :D

https://packages.debian.org/search?keyw ... ection=all
1.1.1d :D

a,b,c,d,e,f,g,h.. :D
Post Reply