[Pkg-xmpp-devel] Bug#867032: jabberd2 allowing anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled

Sergey Korobitsin undertaker at arta.kz
Mon Jul 3 14:35:45 UTC 2017 

Package: jabberd2
Version: 2.4.0-3
Severity: grave
Tags: security
Justification: user security hole

During investigation of some issue on my local jabber server
I've found plenty of records like these in my c2s.log:

Mon Jul  3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: bf719de629033bbf9c6c1aecec590aa8928c92da at my-server.com 195.208.220.171:55481 TLS
Mon Jul  3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: bcb1ccc187a88c4d61f5ef14516fc6e69e94cf9a at my-server.com 62.76.74.249:51574 TLS
Mon Jul  3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 4349fd92ecf35ac14cd71d9c5133f014a1cf3fb5 at my-server.com 195.208.220.171:55722 TLS

and I did not allowed such auth type and usage scenario
for my server. Latest news on https://github.com/jabberd2/jabberd2/releases
told me that was a bug, and it's fixed:

https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch

This bug allows unauthorized usage of jabberd2 server installations
and can possibly lead to a DoS.

I've patched my version of jabberd2 from stable with the patch above,
and prepared one for Debian.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages jabberd2 depends on:
ii  adduser              3.115
ii  init-system-helpers  1.48
ii  libc6                2.24-11+deb9u1
ii  libdb5.3             5.3.28-12+b1
ii  libexpat1            2.2.0-2+deb9u1
ii  libgsasl7            1.8.0-8+b2
ii  libhttp-parser2.1    2.1-2
ii  libidn11             1.33-1
ii  libldap-2.4-2        2.4.44+dfsg-5
ii  libmariadbclient18   10.1.23-9+deb9u1
ii  libpam0g             1.1.8-3.6
ii  libpq5               9.6.3-3
ii  libsqlite3-0         3.16.2-5
ii  libssl1.0.2          1.0.2l-2
ii  libudns0             0.4-1+b1
ii  zlib1g               1:1.2.8.dfsg-5

jabberd2 recommends no packages.

jabberd2 suggests no packages.

-- no debconf information
-------------- next part --------------
Fix a bug allowing anyone to authenticate using SASL ANONYMOUS,
even when sasl.anonymous c2s.xml option is not enabled.

Original patch: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch
--- a/c2s/main.c
+++ b/c2s/main.c
@@ -562,6 +562,8 @@
             mechbuf[sizeof(mechbuf)-1]='\0';
             for(i = 0; mechbuf[i]; i++) mechbuf[i] = tolower(mechbuf[i]);
 
+            log_debug(ZONE, "sx sasl callback: check mech (mech=%s)", mechbuf);
+
             /* get host for request */
             host = xhash_get(c2s->hosts, s->req_to);
             if(host == NULL) {
--- a/sx/sasl.c
+++ b/sx/sasl.c
@@ -328,7 +328,7 @@
     if(mech != NULL) {
         _sx_debug(ZONE, "auth request from client (mechanism=%s)", mech);
 
-        if(!gsasl_server_support_p(ctx->gsasl_ctx, mech)) {
+        if(!gsasl_server_support_p(ctx->gsasl_ctx, mech) || (ctx->cb)(sx_sasl_cb_CHECK_MECH, (void*)mech, NULL, s, ctx->cbarg) != sx_sasl_ret_OK) {
              _sx_debug(ZONE, "client requested mechanism (%s) that we didn't offer", mech);
              _sx_nad_write(s, _sx_sasl_failure(s, _sasl_err_INVALID_MECHANISM), 0);
              return;

More information about the Pkg-xmpp-devel mailing list