Bug#867032: marked as done (jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL ANONYMOUS, even when the option is not enabled)

[Debian Bug Tracking System]

Your message dated Sun, 09 Jul 2017 10:47:09 +0000
with message-id <e1du9k5-0009vq...@fasolo.debian.org>
and subject line Bug#867032: fixed in jabberd2 2.4.0-3+deb9u1
has caused the Debian Bug report #867032,
regarding jabberd2: CVE-2017-10807: allows anyone to authenticate using SASL 
ANONYMOUS, even when the option is not enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867032: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867032
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: jabberd2
Version: 2.4.0-3
Severity: grave
Tags: security
Justification: user security hole

During investigation of some issue on my local jabber server
I've found plenty of records like these in my c2s.log:

Mon Jul  3 20:06:21 2017 [notice] [150] ANONYMOUS authentication succeeded: 
bf719de629033bbf9c6c1aecec590aa8928c9...@my-server.com 195.208.220.171:55481 TLS
Mon Jul  3 20:07:01 2017 [notice] [166] ANONYMOUS authentication succeeded: 
bcb1ccc187a88c4d61f5ef14516fc6e69e94c...@my-server.com 62.76.74.249:51574 TLS
Mon Jul  3 20:08:20 2017 [notice] [169] ANONYMOUS authentication succeeded: 
4349fd92ecf35ac14cd71d9c5133f014a1cf3...@my-server.com 195.208.220.171:55722 TLS

and I did not allowed such auth type and usage scenario
for my server. Latest news on https://github.com/jabberd2/jabberd2/releases
told me that was a bug, and it's fixed:

https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch

This bug allows unauthorized usage of jabberd2 server installations
and can possibly lead to a DoS.

I've patched my version of jabberd2 from stable with the patch above,
and prepared one for Debian.

-- System Information:
Debian Release: 9.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C 
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages jabberd2 depends on:
ii  adduser              3.115
ii  init-system-helpers  1.48
ii  libc6                2.24-11+deb9u1
ii  libdb5.3             5.3.28-12+b1
ii  libexpat1            2.2.0-2+deb9u1
ii  libgsasl7            1.8.0-8+b2
ii  libhttp-parser2.1    2.1-2
ii  libidn11             1.33-1
ii  libldap-2.4-2        2.4.44+dfsg-5
ii  libmariadbclient18   10.1.23-9+deb9u1
ii  libpam0g             1.1.8-3.6
ii  libpq5               9.6.3-3
ii  libsqlite3-0         3.16.2-5
ii  libssl1.0.2          1.0.2l-2
ii  libudns0             0.4-1+b1
ii  zlib1g               1:1.2.8.dfsg-5

jabberd2 recommends no packages.

jabberd2 suggests no packages.

-- no debconf information

Fix a bug allowing anyone to authenticate using SASL ANONYMOUS,
even when sasl.anonymous c2s.xml option is not enabled.

Original patch: 
https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16.patch
--- a/c2s/main.c
+++ b/c2s/main.c
@@ -562,6 +562,8 @@
             mechbuf[sizeof(mechbuf)-1]='\0';
             for(i = 0; mechbuf[i]; i++) mechbuf[i] = tolower(mechbuf[i]);
 
+            log_debug(ZONE, "sx sasl callback: check mech (mech=%s)", mechbuf);
+
             /* get host for request */
             host = xhash_get(c2s->hosts, s->req_to);
             if(host == NULL) {
--- a/sx/sasl.c
+++ b/sx/sasl.c
@@ -328,7 +328,7 @@
     if(mech != NULL) {
         _sx_debug(ZONE, "auth request from client (mechanism=%s)", mech);
 
-        if(!gsasl_server_support_p(ctx->gsasl_ctx, mech)) {
+        if(!gsasl_server_support_p(ctx->gsasl_ctx, mech) || 
(ctx->cb)(sx_sasl_cb_CHECK_MECH, (void*)mech, NULL, s, ctx->cbarg) != 
sx_sasl_ret_OK) {
              _sx_debug(ZONE, "client requested mechanism (%s) that we didn't 
offer", mech);
              _sx_nad_write(s, _sx_sasl_failure(s, 
_sasl_err_INVALID_MECHANISM), 0);
              return;

--- End Message ---

--- Begin Message ---

Source: jabberd2
Source-Version: 2.4.0-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
jabberd2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated jabberd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Jul 2017 16:42:15 +0200
Source: jabberd2
Binary: jabberd2
Architecture: source
Version: 2.4.0-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian XMPP Maintainers <pkg-xmpp-de...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 867032
Description: 
 jabberd2   - Jabber instant messenger server
Changes:
 jabberd2 (2.4.0-3+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed offered SASL mechanism check (CVE-2017-10807)
     Thanks to Sergey Korobitsin for the report. (Closes: #867032)
Checksums-Sha1: 
 292920f65af032d8a3ff1cb396f79be716966aa4 2395 jabberd2_2.4.0-3+deb9u1.dsc
 726794ec1a99da3cca4da4ea4c17ec9f6d05e84e 625496 jabberd2_2.4.0.orig.tar.gz
 ec0c4e0041e0e49e1a3b2f367acdeb234a45ec56 17604 
jabberd2_2.4.0-3+deb9u1.debian.tar.xz
Checksums-Sha256: 
 1a58310894ab17247bc0cb37db7a95d7c008af0205805914fed70d0f25698367 2395 
jabberd2_2.4.0-3+deb9u1.dsc
 d6b0ef9a03fc36b0f66f785c09b3a7a8cacbf0d438e0ac1d6ec6b45029d2f816 625496 
jabberd2_2.4.0.orig.tar.gz
 a184d5e37cda951b83970f5230fc2172767c740ebc668fc31c3c5ad7ad84ff7e 17604 
jabberd2_2.4.0-3+deb9u1.debian.tar.xz
Files: 
 b64451f377f3ce74b8ddc255959c8ea3 2395 net optional jabberd2_2.4.0-3+deb9u1.dsc
 1871f97d86affb0150ad8c3a6691cb46 625496 net optional jabberd2_2.4.0.orig.tar.gz
 ac0c5f902aa3ee489adc47ffa085fe25 17604 net optional 
jabberd2_2.4.0-3+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllccfBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EFbUP/2l7lRGXpqoHjtZ+Q1ox/SCkZ7Wn3BO7
IPGZADl7xhbDUCOG2hRQeKADWs90vovMRCKOmGkbWqWPFDykvw1EQWqqqAXDUXRV
V8Ik0MR55Iu48eYjrSdT81P6Wq4W41b3BNlKh8vgx/9MBP6LV3wwUHvwFOWJ46HN
pGp6LXC4wPTK5Bfior6sSrA9VT3kB+mJ6AkbYwntk5324VrUrUVkKQs5zhr0Sr7k
jJJ4hW7HrWicZm07jgAcS4dMorG1jF4VyO8QMer9vRXztLFlt/k2EnKo7GbjATcW
nyX5U566sbVZivhBHxeIvAVeKUaDwQ6vxtCu7JNeYXrW4nmMDVIPI9p3phA1z2Fg
m9imz9rfdxXaaip0H+2nG5uMOwdAnGwI+b9q+c7Y7E2sDZShfLG7Vpx/YiH9n5h9
stJnyFILiOofuroyq44Ma0S80D7rf00PQCZaGh/KPax7v8aQ9uBwI3ZPz85kS3ac
BQDAib8uYu9TOoZNz35Cmfnr+1m2TqjFhqxaG/hhnVCbAndnBBp2izhnduepXJbq
RZoAUE547SeIfo1UOmbn1/ZSM3dlrfAt6+XwRUdbKi3RIQQsNgRs8ElHpW10m2Gr
F9PFtdVYgtLpYd0SHHa2HuQDKZggeG5QMKDIrQeV4VOQDOWpTEds12P2HzyL4DsP
YeBt0oMGpj5c
=cOcZ
-----END PGP SIGNATURE-----

--- End Message ---