Bug 1024687 - (CVE-2017-5593) VUL-0: CVE-2017-5593: psi-plus: Incorrect implementation of XEP-0280: Message Carbons
VUL-0: CVE-2017-5593: psi-plus: Incorrect implementation of XEP-0280: Message...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-02-10 09:53 UTC by Mikhail Kasimov
Modified: 2017-10-26 08:32 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-10 09:53:25 UTC
Ref: http://seclists.org/oss-sec/2017/q1/373

An incorrect implementation of XEP-0280: Message Carbons[0] in multiple
XMPP clients allows a remote attacker to impersonate any user, including
contacts, in the vulnerable application's display. This allows for
various kinds of social engineering attacks.


  - CWE-304: Missing Critical Step in Authentication
  - CWE-940: Improper Verification of Source of a Communication Channel
  - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N (score 7.1)

Affected Applications


- CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627)


The XMPP protocol extension "XEP-0280: Message Carbons"[0] allows
a user to run multiple clients on their XMPP account by sending "carbon
copies" of outgoing and incoming messages to the user's other devices
(besides the one that directly sent or received the original message).

This feature must be supported by the user's server and must be
explicitly enabled by the client. Carbon copies are always generated by
the user's server and originate from the user's bare JID (their account

For example, the following is message "Hi!", sent by Alice
(`alice@xmpp.example`) to Bob's client 1 (`bob@xmpp.example/client1`):

        <message from="alice@xmpp.example" to="bob@xmpp.example/client1">

Bob is also logged in with carbons-enabled client 2, which receives the
following carbon-copy of the message:

        <message from="bob@xmpp.example" to="bob@xmpp.example/client2">
            <received xmlns='urn:xmpp:carbons:2'><forwarded
                <message from="alice@xmpp.example"

Now, client 2 can extract the original message from the carbon copy and
display it accordingly. The "Security Considerations" section of
XEP-0280 explicitly states that:

| Any forwarded copies received by a Carbons-enabled client MUST be from
| that user's bare JID; any copies that do not meet this requirement
| MUST be ignored.

The Carbons implementation in the affected clients was lacking this
test. It simply checked all incoming messages for presence of a Carbon
element (`<received/>` or `<sent/>`), extracted and parsed it like a
regular message.

Therefore, it was possible for Mallory to send the following specially
crafted message to Bob:

        <message from="mallory@evil.example" to="b@xmpp.example">
            <received xmlns='urn:xmpp:carbons:2'><forwarded
                <message from="alice@xmpp.example"
                    <body>Please come to Creepy Valley tonight,

This would appear as an authentic message from Alice, including Alice'
proper screen name, allowing Mallory to perform social engineering
attacks on Bob.

Fix:  - 2017-01-28 Release of Psi+ 0.16.571.630
    fix commit:


[0] https://xmpp.org/extensions/xep-0280.html
[1] https://gultsch.de/gajim_roster_push_and_message_interception.html
[2] http://www.openwall.com/lists/oss-security/2016/12/09/5
[3] https://blog.thijsalkema.de/

HTML version of advisory:
PDF version of advisory:
Comment 1 Mikhail Kasimov 2017-02-10 10:00:24 UTC
Comment 2 Matthias Gerstner 2017-02-10 11:21:58 UTC
Leap 42.1/42.2 seem not to contain any carbon message handling yet.

openSUSE:Factory/psi+ seems to contain the affected code.
Comment 3 Swamp Workflow Management 2017-02-10 23:00:29 UTC
bugbot adjusting priority
Comment 4 Jiri Slaby 2017-02-13 08:49:24 UTC
Comment 5 Jiri Slaby 2017-02-13 08:51:42 UTC

42.2 contains:
0.16.560.575 (2016-07-27)

42.1 contains:
0.16.475 (2015-09-25)
Comment 6 Marcus Meissner 2017-10-26 08:32:09 UTC
i think we are done