Security: crash issue if SASL is enabled

News about the UnrealIRCd project, including release announcements
Post Reply
Syzop
UnrealIRCd head coder
Posts: 2112
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Security: crash issue if SASL is enabled

Post by Syzop »

Summary
If SASL support is enabled in UnrealIRCd (this is not the default) and is also enabled in your services package then a malicious user with a services account can cause UnrealIRCd to crash. Most people have not enabled SASL and are safe. Those who do have SASL enabled can easily fix this potential crash issue without a server restart. See below.

This bug was reported by Kevin Weidemann.

Who is affected
For a user to be able to crash UnrealIRCd *ALL* of the following conditions must be true:
  • Must be running UnrealIRCd version 3.2.10 or higher (including 3.2.10.4). The 3.4.x series are also affected (including 3.4-beta2).
  • In your configuration file (unrealircd.conf or included files) you have configured a SASL server via set::sasl-server
  • You are using a services package (such as anope) and the server is linked
  • SASL support is enabled in your services
  • The malicious user has (or can) register an account at services (usually via NickServ).
If one of the points above is not true for your installation then a remote user cannot crash your server via this bug.
In particular, if you are not using SASL then no patch or upgrade is needed and you can stop reading here.

If you are unsure if you have enabled SASL then search for sasl-server in your configuration files. If this word is not found then SASL is disabled. This will actually be the case for the majority of installations. When SASL is enabled in the configuration file it will look like this:

Code: Select all

set {
        sasl-server "services.something.net";
};
Solutions
For UnrealIRCd 3.2.10.x we present 3 possible solutions in case you are affected by this bug:
  • A workaround (NO restart needed)
  • A patch (NO restart needed) (*NIX only)
  • A new UnrealIRCd version (for new installations)
For the UnrealIRCd 3.4 beta series we suggest you to upgrade to 3.4-beta3.

Workaround
If you remove the sasl-server directive from your configuration file and rehash the IRCd then SASL support will be disabled.
This is an easy workaround but for most people who have SASL enabled this won't be an acceptable solution.

Patch / hotfix
If you are on *NIX then it's possible to fix the crash issue by patching the source, recompiling UnrealIRCd, and then rehashing the server. This will fix your IRC server without requiring a server restart.

Execute the following commands on the shell from your UnrealIRCd directory, for example from /home/irc/Unreal3.2.10.4:

Code: Select all

wget http://www.unrealircd.org/downloads/sasl.patch
patch -p0 <sasl.patch
make && make install
After doing the above you must rehash the IRCd. Either online as an IRCOp by using the /REHASH command, or via ./unreal rehash on the command line.

New versions
New versions of UnrealIRCd are available which include a fix for this issue. They are 3.2.10.5 (stable) and 3.4-beta3 (development version).
The new versions are meant for Windows users and new installations. For *NIX users with existing 3.2.x installations we suggest to use the patch or workaround instead because doing so incurs no downtime.

Bug details
Type of bug: Crash due to NULL pointer dereference
CVSS v2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVSS Base Score: 6.8
CVSS Temporal Score: 5.6

Timeline
Times are in UTC+2
2015-08-13 00:20 Bug reported privately to UnrealIRCd team
2015-08-13 07:55 First response
2015-08-13 16:05 Bug confirmed by developer
2015-08-15 16:15 Patched
2015-08-16 09:00 Source and binary releases ready
2015-08-16 15:00 Security advisory sent out

References
This advisory (and updates to it, if any) is available from: https://www.unrealircd.org/txt/unrealse ... 150816.txt
Post Reply