Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CABQu4+4X=WBhODKjSM1-Pgm-Ujnc2Lxw5rXAUOojbCaDjphbhg@mail.gmail.com>
Date: Tue, 20 Dec 2016 22:00:12 +0100
From: Sylvain SARMEJEANNE <sylvain.sarmejeanne.ml@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Smack: TLS SecurityMode.required not always enforced,
 leading to striptls attack

Hello,

I reported a vulnerability in the Smack XMPP library where the security of
the TLS connection is not always enforced. By stripping the "starttls"
feature from the server response with a man-in-the-middle tool, an attacker
can force the client to authenticate in clear text even if the
"SecurityMode.required" TLS setting has been set. This is a race condition
issue so the attack will work after a few tries.

The vulnerability affects at least all 4.1.x versions and is fixed in Smack
4.1.9.

References:
https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-
security-advisory-2016-11-22
https://issues.igniterealtime.org/browse/SMACK-739
https://github.com/igniterealtime/Smack/commit/
a9d5cd4a611f47123f9561bc5a81a4555fe7cb04
https://github.com/igniterealtime/Smack/commit/
059ee99ba0d5ff7758829acf5a9aeede09ec820b

Could you assign a CVE for this?
Thanks!

Sylvain

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.