oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack

From: Sylvain SARMEJEANNE <sylvain.sarmejeanne.ml () gmail com>
Date: Tue, 20 Dec 2016 22:00:12 +0100
Hello,

I reported a vulnerability in the Smack XMPP library where the security of
the TLS connection is not always enforced. By stripping the "starttls"
feature from the server response with a man-in-the-middle tool, an attacker
can force the client to authenticate in clear text even if the
"SecurityMode.required" TLS setting has been set. This is a race condition
issue so the attack will work after a few tries.

The vulnerability affects at least all 4.1.x versions and is fixed in Smack
4.1.9.

References:
https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-
security-advisory-2016-11-22
https://issues.igniterealtime.org/browse/SMACK-739
https://github.com/igniterealtime/Smack/commit/
a9d5cd4a611f47123f9561bc5a81a4555fe7cb04
https://github.com/igniterealtime/Smack/commit/
059ee99ba0d5ff7758829acf5a9aeede09ec820b

Could you assign a CVE for this?
Thanks!

Sylvain
Previous By Date Next
Previous By Thread Next

Current thread: