Bug 1302463 - (CVE-2016-0756) CVE-2016-0756 prosody: mod_dialback allows impersonation attacks
CVE-2016-0756 prosody: mod_dialback allows impersonation attacks
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All All
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160127,repor...
: Security
: 1302485 (view as bug list)
Depends On: 1302565 1302566
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-27 18:59 EST by Robert Scheck
Modified: 2016-02-16 21:27 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2016-01-27 18:59:05 EST
Description
-----------

The flaw allows a malicious server to impersonate the vulnerable domain
to any XMPP domain whose domain name includes the attacker's domain as a
suffix.

For example, 'bber.example' would be able to connect to 'jabber.example'
and successfully impersonate any vulnerable server on the network.


Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback disabled
are not affected.

Servers with s2s_secure_auth enabled will reject incoming impersonation 
attempts (that is, servers attempting to impersonate other domains will be 
rejected), but may still be impersonated to other servers on the network.


Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled list in
the global section of your config file, and restart Prosody:

  modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers that
do not have trusted TLS certificates.
Comment 1 Robert Scheck 2016-01-27 19:28:55 EST
*** Bug 1302485 has been marked as a duplicate of this bug. ***
Comment 2 Martin Prpič 2016-01-28 03:08:08 EST
External References:

https://prosody.im/security/advisory_20160127/
Comment 3 Martin Prpič 2016-01-28 03:08:47 EST
Created prosody tracking bugs for this issue:

Affects: epel-all [bug 1302566]
Comment 4 Martin Prpič 2016-01-28 03:11:27 EST
Created prosody tracking bugs for this issue:

Affects: fedora-all [bug 1302565]
Comment 5 Fedora Update System 2016-02-03 16:50:52 EST
prosody-0.9.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-02-05 16:21:38 EST
prosody-0.9.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-02-14 19:56:33 EST
prosody-0.9.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-02-16 21:27:55 EST
prosody-0.9.10-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.