Bugzilla – Bug 1024687
VUL-0: CVE-2017-5593: psi-plus: Incorrect implementation of XEP-0280: Message Carbons
Last modified: 2017-10-26 08:32:09 UTC
Ref: http://seclists.org/oss-sec/2017/q1/373 ============================================= Summary ------- An incorrect implementation of XEP-0280: Message Carbons[0] in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. Classification -------------- - CWE-304: Missing Critical Step in Authentication - CWE-940: Improper Verification of Source of a Communication Channel - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N (score 7.1) Affected Applications --------------------- <skipped> - CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627) <skipped> Details ------- The XMPP protocol extension "XEP-0280: Message Carbons"[0] allows a user to run multiple clients on their XMPP account by sending "carbon copies" of outgoing and incoming messages to the user's other devices (besides the one that directly sent or received the original message). This feature must be supported by the user's server and must be explicitly enabled by the client. Carbon copies are always generated by the user's server and originate from the user's bare JID (their account address). For example, the following is message "Hi!", sent by Alice (`alice@xmpp.example`) to Bob's client 1 (`bob@xmpp.example/client1`): <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Hi!</body> </message> Bob is also logged in with carbons-enabled client 2, which receives the following carbon-copy of the message: <message from="bob@xmpp.example" to="bob@xmpp.example/client2"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Hi!</body> </message> </forwarded></received> </message> Now, client 2 can extract the original message from the carbon copy and display it accordingly. The "Security Considerations" section of XEP-0280 explicitly states that: | Any forwarded copies received by a Carbons-enabled client MUST be from | that user's bare JID; any copies that do not meet this requirement | MUST be ignored. The Carbons implementation in the affected clients was lacking this test. It simply checked all incoming messages for presence of a Carbon element (`<received/>` or `<sent/>`), extracted and parsed it like a regular message. Therefore, it was possible for Mallory to send the following specially crafted message to Bob: <message from="mallory@evil.example" to="b@xmpp.example"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Please come to Creepy Valley tonight, alone!</body> </message> </forwarded></received> </message> This would appear as an authentic message from Alice, including Alice' proper screen name, allowing Mallory to perform social engineering attacks on Bob. ============================================= Fix: - 2017-01-28 Release of Psi+ 0.16.571.630 fix commit: https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570 Links ----- [0] https://xmpp.org/extensions/xep-0280.html [1] https://gultsch.de/gajim_roster_push_and_message_interception.html [2] http://www.openwall.com/lists/oss-security/2016/12/09/5 [3] https://blog.thijsalkema.de/ HTML version of advisory: https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ PDF version of advisory: https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbon s.pdf
https://software.opensuse.org/package/psi+
Leap 42.1/42.2 seem not to contain any carbon message handling yet. openSUSE:Factory/psi+ seems to contain the affected code.
bugbot adjusting priority
Submitted: https://build.opensuse.org/request/show/456644
FTR 42.2 contains: 0.16.560.575 (2016-07-27) 42.1 contains: 0.16.475 (2015-09-25)
i think we are done