Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 573158 (CVE-2016-0756)

Summary: <net-im/prosody-0.9.10: Security vulnerability in mod_dialback (CVE-2016-0756)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hauschild.markus, klausman, rafaelmartins, zx2c4
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 571312    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-27 21:07:28 UTC 
A vulnerability has been found and fixed in the Prosody XMPP server.

CVE-2016-0756
-------------

Project
  ~ Prosody XMPP server
URL
  ~ https://prosody.im/
CVE
  ~ CVE-2016-0756
Date
  ~ 2016-01-27

Affected versions
  ~ All versions prior to 0.9.10
Affected Prosody modules
  ~ mod_dialback
Fixed versions
  ~ 0.9.10, 0.10 nightly build 201, trunk nightly build 612

Description
-----------

The flaw allows a malicious XMPP server to impersonate the vulnerable
domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and
successfully impersonate any vulnerable server on the network.

Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback
disabled are not affected.

Servers with s2s_secure_auth enabled will reject incoming
impersonation attempts (that is,
servers attempting to impersonate other domains will be rejected), but
may still be impersonated to other servers on the network.

Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled
list in the global
section of your config file, and restart Prosody:

   modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers
that do not have trusted
TLS certificates.

Advice
------

All users should upgrade to 0.9.10, or check their OS distribution for
security updates. Users of development branches (0.10, trunk) should
upgrade to the latest nightly builds.

Credits
-------

The flaw was discovered and responsibly disclosed to us by Thijs Alkemade.

Links
-------

 - https://prosody.im/security/advisory_20160127/
 - http://blog.prosody.im/prosody-0-9-10-released/
 - https://prosody.im/issues/issue/596
 - https://hg.prosody.im/0.9/rev/5c6e78dc1864
Comment 1 Tobias Klausmann (RETIRED) gentoo-dev 2016-01-28 08:36:04 UTC 
Version 0.9.10 is in the tree with testing keywords for amd64, arm and x86.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-05-30 06:57:43 UTC 
@arches, please stabilize.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-30 12:34:54 UTC 
Been running it for a while with no issues.

Stable on amd64.
Comment 4 Markus Meier gentoo-dev 2016-06-04 05:04:53 UTC 
arm stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 08:59:52 UTC 
CVE-2016-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0756):
  The generate_dialback function in the mod_dialback module in Prosody before
  0.9.10 does not properly separate fields when generating dialback keys,
  which allows remote attackers to spoof XMPP network domains via a crafted
  stream id and domain name that is included in the target domain as a suffix.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 09:00:42 UTC 
@x86, ping.
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:48:55 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-28 12:03:55 UTC 
Removed 0.9.{8,9} with commit 3b0fbe83c7219e1bd9fccc4ad7c5fb9cd54fb4fa
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-28 12:32:07 UTC 
GLSA Vote: No