Security: DoS in OpenSSL affecting UnrealIRCd

News about the UnrealIRCd project, including release announcements
Post Reply
UnrealIRCd head coder
Posts: 2110
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl

Security: DoS in OpenSSL affecting UnrealIRCd

Post by Syzop »

Several security issues were found in the OpenSSL library. The OpenSSL library is used by UnrealIRCd if you compiled with SSL support.

At least one issue is a server crash: the attacker sends some bad data and the IRC daemon will crash.

As far as we know there is NO risk for remote code execution.

Jump below to the section relevant to you ('WINDOWS USERS' or '*NIX USERS')

Almost all Windows users download our binaries. All Windows SSL binaries until today were using a vulnerable OpenSSL version, including:
* Unreal3.2.10.4-SSL (Windows SSL version)
* Unreal3.4-alpha1 (Windows)
* Older Windows SSL versions are (very) likely affected as well

* If you downloaded the non-SSL version for Windows
* Unreal3.2.10.4-SSL-fix (version shown by installer)
* Unreal3.4-alpha1-fix (version shown by installer)

==[ *NIX USERS ]==
On Linux, FreeBSD, and other *NIX systems UnrealIRCd will use the system installed OpenSSL version. So:
1. Follow the instructions of your vendor / distro to upgrade OpenSSL
2. Optionally recompile UnrealIRCd (make clean; make && make install). This is often not needed, but is sometimes necessary. If you do this, then also recompile any 3rd party modules you use.
3. Restart UnrealIRCd so it actually uses the upgraded OpenSSL version
4. That's it

On IRC, as an IRCOp (not a regular user!!), type '/VERSION' or '/QUOTE VERSION'. If you have OpenSSL support compiled in you will see this:
[18:40:06] OpenSSL 1.0.1m 19 Mar 2015

Version 1.0.1m means you're good.

If you see anything lower than 1.0.1m, such as "1.0.1h" then you are possibly vulnerable, see next section.

If you see no such line at all, and again.. you are sure you are IRCOp, then it means the server does not have SSL support (no OpenSSL in use). You're safe.

TIP: You can also check remote servers, again only if you are IRCOp, by '/VERSION' or '/QUOTE VERSION remote.server'

New Windows SSL versions are available from
The installers have a filename like 'Unreal3.2.10.4-SSL-fix.exe' and 'Unreal3.4-alpha1-fix.exe'
After installation, you see no change in UnrealIRCd version number. This is because no code in UnrealIRCd was actually changed.
You can, however, verify the OpenSSL version, see previous block 'HOW TO CHECK IF YOU ARE VULNERABLE'.

On *NIX (Linux, FreeBSD, ..)? See the block '*NIX USERS' about 40 lines up. Did you already follow these instructions and you still see an old version in use? Even after you restarted UnrealIRCd? On several Linux distro's this is pretty common as vendors routinely backport security fixes without bumping the version number. So if you are on Linux, then after you followed the 4 steps mentioned in '*NIX USERS' then you more or less have to trust your vendor (and yourself).

If you are running an UnrealIRCd server with SSL support (OpenSSL) and the OpenSSL version is vulnerable. Then if at least one port is reachable for the attacker it can be attacked. It doesn't matter if this is an SSL or non-SSL port and whether you have restrictive allow { } blocks or not.

In other words: yes, also upgrade your hub(s).

==[ TIMELINE ]==
Times are in UTC
2015-03-19 14:12 OpenSSL security announcement
2015-03-19 17:57 Downloads replaced
2015-03-19 20:15 Security announcement

==[ SOURCE ]==

This advisory (and updates to it, if any) is posted to: ... 150319.txt
Post Reply