Bug 1302463 (CVE-2016-0756)

Summary: CVE-2016-0756 prosody: mod_dialback allows impersonation attacks
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: upstream-release-monitoring
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:47:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1302565, 1302566    
Bug Blocks:    

Description Robert Scheck 2016-01-27 23:59:05 UTC
Description
-----------

The flaw allows a malicious server to impersonate the vulnerable domain
to any XMPP domain whose domain name includes the attacker's domain as a
suffix.

For example, 'bber.example' would be able to connect to 'jabber.example'
and successfully impersonate any vulnerable server on the network.


Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback disabled
are not affected.

Servers with s2s_secure_auth enabled will reject incoming impersonation 
attempts (that is, servers attempting to impersonate other domains will be 
rejected), but may still be impersonated to other servers on the network.


Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled list in
the global section of your config file, and restart Prosody:

  modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers that
do not have trusted TLS certificates.

Comment 1 Robert Scheck 2016-01-28 00:28:55 UTC
*** Bug 1302485 has been marked as a duplicate of this bug. ***

Comment 2 Martin Prpič 2016-01-28 08:08:08 UTC
External References:

https://prosody.im/security/advisory_20160127/

Comment 3 Martin Prpič 2016-01-28 08:08:47 UTC
Created prosody tracking bugs for this issue:

Affects: epel-all [bug 1302566]

Comment 4 Martin Prpič 2016-01-28 08:11:27 UTC
Created prosody tracking bugs for this issue:

Affects: fedora-all [bug 1302565]

Comment 5 Fedora Update System 2016-02-03 21:50:52 UTC
prosody-0.9.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-02-05 21:21:38 UTC
prosody-0.9.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-02-15 00:56:33 UTC
prosody-0.9.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-02-17 02:27:55 UTC
prosody-0.9.10-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Product Security DevOps Team 2019-06-08 02:47:58 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.