lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 17 Mar 2010 01:31:29 +0100
From: Jan Schejbal <jan.mailinglisten@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Miranda IM silent TLS failure

Summary:
Under certain conditions, Miranda ignores the "Use TLS" setting in 
Jabber accounts and uses an unencrypted connection.

Affected: Miranda IM (instant messenger), at least versions 0.8.16, 
0.9.0 alpha build #6 Unicode and SVN rev. 11383

Description:
If the following conditions are met:
  - "Use TLS" is enabled in the jabber account settings (Network - 
Jabber - Account),

  - "Validate SSL certificates" is enabled in the Network settings

  - "Disable SASL authentication" is enabled in the advanced jabber 
settings (Network - Jabber - Advanced, Miscellaneous - Server options)

Miranda will silently connect to the server without using TLS, sending 
all data in plain.


Impact: This issue allows eavesdropping and impersonation attacks on the 
connection to the XMPP/Jabber server, even if "Use TLS" is enabled and 
the user assumes the connection to be secure.


Workaround:
Uncheck "Disable SASL authentication" and restart Miranda.
Make sure the server certificate is trusted (via the Windows certificate 
store), or your connections will fail.


Disclosure:
The bug was reported to the authors via their bug tracker.

I disclose the issue to the public without waiting for a patch because

  a) no harm is expected from public knowledge of this issue, even as no 
patch exists

  b) an easy workaround (fixing the settings) exists


It seems that this issue was already reported by another user in 2009:
http://code.google.com/p/miranda/issues/detail?id=152

According to that, the "Disable SASL" setting suppresses TLS and no 
warning is given to the user.

Fix:
Ensure that if "Use TLS" is checked, failure to establish a TLS-secured 
connection is a fatal error. No data should be transferred and the user 
should be warned about this.

*Additionally*, make "Use TLS" and "Disable SASL" mutually exclusive and 
change the misleading name of the "Disable SASL" setting.


written by: Jan Schejbal

Thanks to Protogenes and Nico Haase for testing and confirming the issue.



Kind regards,
Jan Schejbal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ