Bug 1302463 (CVE-2016-0756) - CVE-2016-0756 prosody: mod_dialback allows impersonation attacks
Summary: CVE-2016-0756 prosody: mod_dialback allows impersonation attacks
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2016-0756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1302485 (view as bug list)
Depends On: 1302565 1302566
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-27 23:59 UTC by Robert Scheck
Modified: 2021-02-17 04:25 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:47:58 UTC
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2016-01-27 23:59:05 UTC 
Description
-----------

The flaw allows a malicious server to impersonate the vulnerable domain
to any XMPP domain whose domain name includes the attacker's domain as a
suffix.

For example, 'bber.example' would be able to connect to 'jabber.example'
and successfully impersonate any vulnerable server on the network.


Affected configurations
-----------------------

The default configuration is affected. Servers with mod_dialback disabled
are not affected.

Servers with s2s_secure_auth enabled will reject incoming impersonation 
attempts (that is, servers attempting to impersonate other domains will be 
rejected), but may still be impersonated to other servers on the network.


Temporary mitigation
--------------------

Disable mod_dialback by adding "dialback" to your modules_disabled list in
the global section of your config file, and restart Prosody:

  modules_disabled = { "dialback" }

Note that disabling dialback will affect interoperability with servers that
do not have trusted TLS certificates.
Comment 1 Robert Scheck 2016-01-28 00:28:55 UTC 
*** Bug 1302485 has been marked as a duplicate of this bug. ***
Comment 2 Martin Prpič 2016-01-28 08:08:08 UTC 
External References:

https://prosody.im/security/advisory_20160127/
Comment 3 Martin Prpič 2016-01-28 08:08:47 UTC 
Created prosody tracking bugs for this issue:

Affects: epel-all [bug 1302566]
Comment 4 Martin Prpič 2016-01-28 08:11:27 UTC 
Created prosody tracking bugs for this issue:

Affects: fedora-all [bug 1302565]
Comment 5 Fedora Update System 2016-02-03 21:50:52 UTC 
prosody-0.9.10-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-02-05 21:21:38 UTC 
prosody-0.9.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-02-15 00:56:33 UTC 
prosody-0.9.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-02-17 02:27:55 UTC 
prosody-0.9.10-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Product Security DevOps Team 2019-06-08 02:47:58 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.