The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network domains via a crafted stream id and domain name that is included in the target domain as a suffix.

Prosody 0.9.10 ============== A summary of changes in this release:
Security -------- * mod_dialback: Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756) Fixes and improvements ---------------------- * Startup: Open /dev/urandom read-only, to fix a failure to start on some systems (fixes #585) * Networking: Improve handling of the 'select' network backend running out of file descriptors Minor changes ------------- * Networking:
Increase default internal read size to prevent connections stalling with LuaEvent (see #583) * DNS: Discard queries that failed to send due to connection errors (fixes #598) * c2s, s2s: Lower priority of shutdown handler, so that modules such as MUC can always send shutdown notifications to (remote) users (fixes #601)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that insecure handling of dialback keys may allow a malicious XMPP server to impersonate another server.

The flaw allows a malicious server to impersonate the vulnerable domain to any XMPP domain whose domain name includes the attacker's domain as a suffix.

For example, 'bber.example' would be able to connect to 'jabber.example' and successfully impersonate any vulnerable server on the network.

This release also fixes a regression introduced in the previous CVE-2016-1232 fix: s2s doesn't work if /dev/urandom is read-only.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Prosody team reports :

Adopt key generation algorithm from XEP-0185, to prevent impersonation attacks (CVE-2016-0756)

ID	Name	Product	Family	Severity
89627	Fedora 22 : prosody-0.9.10-1.fc22 (2016-e2c5111eda)	Nessus	Fedora Local Security Checks	medium
89552	Fedora 23 : prosody-0.9.10-1.fc23 (2016-5a5c85c5a8)	Nessus	Fedora Local Security Checks	medium
88498	Debian DSA-3463-1 : prosody - security update	Nessus	Debian Local Security Checks	medium
88493	Debian DLA-407-1 : prosody security update	Nessus	Debian Local Security Checks	medium
88466	FreeBSD : prosody -- user impersonation vulnerability (50394bc9-c5fa-11e5-96a5-d93b343d1ff7)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2016-0756

medium

Tenable Plugins

medium

medium

medium

medium

medium