Bug 1296984 (CVE-2016-1232)

Summary:	CVE-2016-1232 prosody: use of weak PRNG in generation of dialback secrets
Product:	[Other] Security Response	Reporter:	Robert Scheck <redhat-bugzilla>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	carnil
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	prosody 0.9.9	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-03-17 20:31:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert Scheck 2016-01-08 15:44:46 UTC

It was discovered that Prosody's generation of the secret token for
server-to-server dialback authentication relied upon a weak random
number generator that was not cryptographically secure. This allows
an attacker to guess at probable values of the secret key. A successful
guess allows impersonation of the affected domain to other servers on
the network.

External References:

https://prosody.im/security/advisory_20160108-2/

Comment 1 Martin Prpič 2016-01-11 08:51:50 UTC

Affected configurations
-----------------------

Configurations with mod_dialback loaded (default configuration) are
affected.

Servers with s2s_secure_auth = true will not be susceptible to incoming
attempts to spoof other domains on the network. However if mod_dialback
is loaded, a server's domain's may still be spoofed by an attacker in
connections to other servers.

Not affected are configurations with a strong custom dialback_secret set
(though periodically regenerating the dialback_secret is still
advisable).

Temporary mitigation
--------------------

Set the 'dialback_secret' option in your configuration file to a long
random string.

A strong dialback_secret can be generated (for example) using the
command:

head -c 32 /dev/urandom | base64

Alternatively disable mod_dialback by adding it to your modules_disabled
option in your configuration file. In this case communication with
servers that only support dialback or have untrusted certificates will
not be possible.

Comment 2 Martin Prpič 2016-01-11 08:52:01 UTC

This has been fixed in:

prosody-0.9.9-1.fc24
prosody-0.9.9-1.fc22
prosody-0.9.9-1.el5
prosody-0.9.9-1.fc23
prosody-0.9.9-1.el7
prosody-0.9.9-1.el6

Comment 3 Fedora Update System 2016-01-20 21:55:54 UTC

prosody-0.9.9-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2016-01-21 04:48:40 UTC

prosody-0.9.9-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-01-22 00:57:42 UTC

prosody-0.9.9-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-01-26 15:42:21 UTC

prosody-0.9.9-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-01-27 16:12:52 UTC

prosody-0.9.9-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.