|
Message-ID: <CABQu4+4X=WBhODKjSM1-Pgm-Ujnc2Lxw5rXAUOojbCaDjphbhg@mail.gmail.com> Date: Tue, 20 Dec 2016 22:00:12 +0100 From: Sylvain SARMEJEANNE <sylvain.sarmejeanne.ml@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack Hello, I reported a vulnerability in the Smack XMPP library where the security of the TLS connection is not always enforced. By stripping the "starttls" feature from the server response with a man-in-the-middle tool, an attacker can force the client to authenticate in clear text even if the "SecurityMode.required" TLS setting has been set. This is a race condition issue so the attack will work after a few tries. The vulnerability affects at least all 4.1.x versions and is fixed in Smack 4.1.9. References: https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack- security-advisory-2016-11-22 https://issues.igniterealtime.org/browse/SMACK-739 https://github.com/igniterealtime/Smack/commit/ a9d5cd4a611f47123f9561bc5a81a4555fe7cb04 https://github.com/igniterealtime/Smack/commit/ 059ee99ba0d5ff7758829acf5a9aeede09ec820b Could you assign a CVE for this? Thanks! Sylvain
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.