oss-sec mailing list archives
Re: CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack
From: <cve-assign () mitre org>
Date: Thu, 22 Dec 2016 11:03:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I reported a vulnerability in the Smack XMPP library where the security of the TLS connection is not always enforced. By stripping the "starttls" feature from the server response with a man-in-the-middle tool, an attacker can force the client to authenticate in clear text even if the "SecurityMode.required" TLS setting has been set. This is a race condition issue so the attack will work after a few tries.
https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-security-advisory-2016-11-22 https://issues.igniterealtime.org/browse/SMACK-739 https://github.com/igniterealtime/Smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04 https://github.com/igniterealtime/Smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b
smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java
Use CVE-2016-10027. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYW/idAAoJEHb/MwWLVhi2Ti0QAIWkl59R8amXlPpJJjU4Ydbl 2ADm4yXOsRVnhy8QJ9u44ogteMANPZbuU006Q9ezeE2SIlLX1rcHeEsHy/nR9rNM us/Ip79ZIfDU1wuP1XjeIa1lO3Ldf0L2Wo9gX+JRaSyX+w0+WfIvmg40AtEehjfR 2hAPY3ALuiVw4y3TY6eRk2e03f765ZnvIqbTSO3ayRJ5NYLQlvI15+1WIGTOoH8o nputmqaDb2/jIQUoI2bpRVAnbijmN1CCOEDT0n1e/F8MmxYKpuTLnde98KhDriz+ o6OM5pYv0X1CnIb6RGzb2Brt2FUmqWvEAmnFoRknEy8UQ4iQWXRjoI/QQDMaI5ru WNaB2fUtplT4jQ2IeNLinFNwxbMYSaMrCWfNuIpuTANXXyF2PgKuYTA5JmwtJHkR pJuTRD+mfO1ybcyf/D678T3hldpC5NlMf9eRQDbB5h9viNLVBGhnulE/OPZpU+2R J3hvXAVpaGFHAQllBgSq8Ut7zsI5s7ZFoo2gWuHCA//dT+C6GjUs/h7w6wWK9iiU a932syiLLmT5HRCJwucEiwRk2KczVzMgai2FM1jSlDLoonw2nHqHe128rYcwGGQd DZeU/1e1ZYje1WLFCJzRuNGTesNwFdFhT/F3WLCrglANm1VfXuWyqtWMDSeInaf3 MWbq6ZtaZvw40COKoh8r =4pVQ -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack Sylvain SARMEJEANNE (Dec 20)
- Re: CVE Request: Smack: TLS SecurityMode.required not always enforced, leading to striptls attack cve-assign (Dec 22)