-
ernst.on.tour
Somebody working with apache and/or log4j ? Have a look about CVE2021-44228 Will kill my weekend 😕
-
MattJ
Confirmed that Tigase is not vulnerable, but I haven't looked into Openfire
-
Wojtek
yeah, we don't use log4j
-
moparisthebest
I thought people switched to logback ages ago, apparently not
-
jonas’
thinking that people upgraded ages ago is always dangerous✎ -
TheCoffeMaker
Thinking is dangerous (?) 🤣
-
jonas’
~thinking~ that people upgraded ages ago is always a dangerous assumption ✏
-
jonas’
TheCoffeMaker, there I fixed it ;)
-
TheCoffeMaker
lol
-
MattJ
Openfire apparently vulnerable: https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108
-
MattJ
That will be fun. There are a lot of poorly-maintained Openfire installations around...
-
tom
openfire still works?
-
tom
when I try to open the client it just is a blank white window
-
Sapotaceae
The log4j vuln is already being abused in wild
-
ernst.on.tour
Yeah, just leave company after 16h of work, colleags will stay. My turn will be tomorrow again. There are pictures of hacking Amazon and other big players, seems to be a big impact. Each jar which will use log4j and open a port will possible be attack-able
-
moparisthebest
I guess we could exploit the openfire bug to upgrade openfire for them
-
MattJ
Not the first time such a suggestion has been made about Openfire :P
-
MattJ
Though it's been a while
-
moparisthebest
https://twitter.com/cyb3rops/status/1469343827228086278 accurate
-
Martin
Has Openfire a bad record?
-
MattJ
The biggest one was the failure to check the username of password changes. In XMPP you send a <username>youruser</username><password>new-password</password>, but Openfire didn't check that the username was your username
-
MattJ
So you could set any user's password, including the default 'admin' account
-
MattJ
Which in turn could be used to log into the web admin that it served by default
-
moparisthebest
That's awesome
-
MattJ
Combine that with the numerous web interface flaws and the fact that many Openfire admins just run it as root (or Windows equivalent), and... yeah
-
moparisthebest
Actually the main npm registry just had the same bug
-
mathieui
https://twitter.com/kikta/status/1469388635954978822 love it
-
mathieui
Oops wrong MUC my bad (still relevant but unintended)
-
tom
java?
-
Menel
> in the case of Minecraft, attackers were able to get remote code execution on Minecraft servers by simply pasting the malicious string into the chat box. Everything is just broken.. We always have to remind ourselfs.
-
kahlb
Probably relevant for those worrying about jog4j: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
-
Maranda
Huhu I vaguely recall there's a lot of java into Ubiquiti firmware...
-
Maranda
That's gonna be fun.
-
kahlb
I've never seen a vuln that is so critical and so easy to exploit. Compared to this, Heartbleed was rocketscience and more limited in it's impact. We're gonna be veeeery busy with this one for the next months...
-
MattJ
In fairness Heartbleed was quite a bit more widespread, as the "market share" of OpenSSL is quite large, covering most things that do TLS
-
MattJ
Many systems don't run Java services, and those that do don't necessarily run log4j (of the 2 publicly-accessible Java services I admin, neither use log4j)
-
tom
I really want to have a centralized password/login management across my xmpp server, dovecot imap, INN nntp, and ssh unix system
-
tom
is ldap the way to do that?
-
tom
i'm not familar with ldap
-
MattJ
LDAP is probably the best way to do that, yes... everything supports it
-
ij
can confirm
-
tom
also, is there a way with such a centralized login system to only allow certain users or groups access to say, xmpp servce, ssh shell accounts, imap, and network news?
-
tom
Is there any good resources you can point me to for getting started with it then?
-
tom
at least understanding the system
-
ij
you can use groups and ldap filters to limit access to certain groups
-
tom
if i'm understanding right, ldap isn't used alone. it's part of a large openldap+kerberous+session tickets system yes?
-
moparisthebest
tom: I do that with accounts in a SQL database
-
tom
I've done that before with a sql database and a python library
-
tom
but it becomes a bit trickey when you want to use existing software, or not just validate passwords but have things like session tickets and only allow access to some systems
-
moparisthebest
Nginx, prosody, dovecot, postfix, nextcloud etc etc all use the same user+pass
- ij always sees messages from tom twice… hmmm
-
tom
ij, no idea why looks normal from my side
-
moparisthebest
Each account has a Boolean column that grants/denies access to each service
-
tom
but then how do you handle other attributes, like homedirectory, unix user groups,
-
tom
gecos
-
tom
nicknames
-
tom
allowed email FROM addresses
-
moparisthebest
tom: I use postfixadmin which handles all that, I added the other columns for XMPP and http etc later
-
Martin
> The biggest one was the failure to check the username of password changes. In XMPP you send a <username>youruser</username><password>new-password</password>, but Openfire didn't check that the username was your username > So you could set any user's password, including the default 'admin' account > Which in turn could be used to log into the web admin that it served by default 😳
-
moparisthebest
Same exact bug https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/#security-issues-related-to-the-npm-registry
-
tom
does anyone know of a good guide for getting started with openldap central authentication?