SECURITY ADVISORY
==================

A serious issue has been found in the Windows SSL versions of UnrealIRCd
3.2.9 and 3.2.10-rc1. This issue allows someone to remotely crash the
server.

Admins of affected systems should upgrade immediately.

Note that only Windows versions with SSL support are affected.

==[ AFFECTED VERSIONS ]==
Vulnerable versions:
* 3.2.9 on Windows with SSL support
* 3.2.10-rc1 on Windows with SSL support
Not vulnerable:
* 3.2.9 and 3.2.10-rc1 on *NIX (Linux, FreeBSD, ..)
* 3.2.9 and 3.2.10-rc1 on Windows without SSL support
* 3.2.9-winsslfix and 3.2.10-rc1-winsslfix
* 3.2.8.1 and earlier

If you are unsure which version you are using, then follow this procedure:
Type /VERSION on IRC (on some clients you might have to type /QUOTE VERSION)
This should return a string like:
Unreal3.2.9. server.name FhinWXeOoZE 
This contains the version number, the server name, and the compile flags.
You are vulnerable if ALL these three conditions are met:
* The version is 'Unreal3.2.9' or 'Unreal3.2.10-rc1'
* The compile flags contain a 'W' (this means you're on Windows)
* The compile flags contain a lower case 'e' (this means you're using the
* SSL version)

Fixed Windows SSL versions can be identified by having 'winsslfix' in their
version name.

==[ SHOULD I UPGRADE? ]==
If you are using any of the vulnerable versions then you should upgrade
immediately as this is a serious issue.
Unfortunately there are no mitigating factors: even if you don't actually
use SSL, or if you have password-protected your server or hub, then you are
still vulnerable to this particular attack.

==[ FIXED VERSIONS ]==
New Windows SSL versions are available from:
http://www.unrealircd.com/

There's no update for *NIX or the non-SSL Windows version, as these are safe
and thus do not require any update.

==[ IMPACT ]==
This issue will result in a direct server crash.
There's no possibility to execute any code, nor is there any information
disclosure.

==[ CVSS ]==
CVSS v2.0 report:

Confidentiality Impact:  None
Integrity Impact:        None
Availability Impact:     Complete

Access Vector:           Network
Access Complexity:       Low
Authentication:          None

CVSS Base Score:         7.8

Availability of exploit: Proof of concept code[*]
Type of fix available:   Official fix

CVSS Temporal Score:     6.1

[*] Proof of concept / exploit is currently not public. This is expected to
change soon after the release of this security bulletin.

==[ TIMELINE ]==
Times are in UTC
2012-11-11 19:20    Bug reported
2012-11-12 11:03    Bug confirmed by developer
2012-11-12 11:22    Bug traced, fix available
2012-11-12 13:45    Fixed versions compiled and packaged
2012-11-12 14:00    Security announcement

==[ SOURCE ]==
This advisory (and updates to it, if any) is posted to:
http://www.unrealircd.com/txt/unrealsecadvisory.20121112.txt