Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJt9-x6kPqB6N+qT=70uYvF00sFECT8hBhLzJU9SZJ-q7p_F9g@mail.gmail.com>
Date: Wed, 27 Jan 2016 20:39:35 +0000
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-0756: Prosody XMPP server: insecure dialback key
 generation/validation algorithm

A vulnerability has been found and fixed in the Prosody XMPP server.

CVE-2016-0756
-------------

Project
  ~ Prosody XMPP server
URL
  ~ https://prosody.im/
CVE
  ~ CVE-2016-0756
Date
  ~ 2016-01-27

Affected versions
  ~ All versions prior to 0.9.10
Affected Prosody modules
  ~ mod_dialback
Fixed versions
  ~ 0.9.10, 0.10 nightly build 201, trunk nightly build 612

Description
-----------

The flaw allows a malicious XMPP server to impersonate the vulnerable
domain to any
XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and
successfully impersonate any vulnerable server on the network.

Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback
disabled are not affected.

Servers with s2s_secure_auth enabled will reject incoming
impersonation attempts (that is,
servers attempting to impersonate other domains will be rejected), but
may still be impersonated to other servers on the network.

Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled
list in the global
section of your config file, and restart Prosody:

   modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers
that do not have trusted
TLS certificates.

Advice
------

All users should upgrade to 0.9.10, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.

Credits
-------

The flaw was discovered and responsibly disclosed to us by Thijs Alkemade.

Links
-------

 - https://prosody.im/security/advisory_20160127/
 - http://blog.prosody.im/prosody-0-9-10-released/
 - https://prosody.im/issues/issue/596
 - https://hg.prosody.im/0.9/rev/5c6e78dc1864

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.