UNREALIRCD SECURITY ADVISORY
=============================

Summary: If SASL support is enabled in UnrealIRCd (this is not the default)
and is also enabled in your services package then a malicious user with
a services account can cause UnrealIRCd to crash.

Most people have not enabled SASL, and those who do can easily fix
this potential crash issue without a server restart. See below.

This bug was reported by Kevin Weidemann.

Index:
* Who is affected
* Solutions
* Workaround
* Patch / hotfix
* New versions
* Bug details
* Timeline
* References

==[ WHO IS AFFECTED ]==
For a user to be able to crash UnrealIRCd *ALL* of the following conditions
must be true:
1) Must be running UnrealIRCd version 3.2.10 or higher (including 3.2.10.4).
   The 3.4.x series are also affected (including 3.4-beta2).
2) In your configuration file (unrealircd.conf or included files) you have
   configured a SASL server via set::sasl-server
3) You are using a services package (such as anope) and the server is linked
4) SASL support is enabled in your services
5) The malicious user has (or can) register an account at services (usually
   via NickServ).

If one of the points above is not true for your installation then a remote
user cannot crash your server via this bug. In particular, if you are not
using SASL then no patch or upgrade is needed and you can stop reading here.

If you are unsure if you have enabled SASL then search for sasl-server
in your configuration files. If this word is not found then SASL is
disabled. This will actually be the case for the majority of installations.
When SASL is enabled in the configuration file it will look like this:
set {
        sasl-server "services.something.net";
};

==[ SOLUTIONS ]==
For UnrealIRCd 3.2.10.x we present 3 possible solutions in case you are
affected by this bug:
1) A workaround (NO restart needed)
2) A patch (NO restart needed) (*NIX only)
3) A new UnrealIRCd version (for new installations)

For the UnrealIRCd 3.4 beta series we suggest you to upgrade to 3.4-beta3.

==[ WORKAROUND ]==
If you remove the sasl-server directive from your configuration file
and rehash the IRCd then SASL support will be disabled.
This is an easy workaround but for most people who have SASL enabled this
won't be an acceptable solution.

==[ PATCH / HOTFIX ]==
If you are on *NIX then it's possible to fix the crash issue by patching
the source, recompiling UnrealIRCd, and then rehashing the server.
This will fix your IRC server without requiring a server restart.

Execute the following commands on the shell from your UnrealIRCd directory,
for example from /home/irc/Unreal3.2.10.4:

wget http://www.unrealircd.org/downloads/sasl.patch
patch -p0 <sasl.patch
make && make install

After doing the above you must rehash the IRCd. Either online as an IRCOp
by using the /REHASH command, or via ./unreal rehash on the command line.

==[ NEW VERSIONS ]==
New versions of UnrealIRCd are available which include a fix for this issue.
They are 3.2.10.5 (stable) and 3.4-beta3 (development version).
The new versions are meant for Windows users and new installations.
For *NIX users with existing installations we suggest to use the patch or
workaround instead because doing so incurs no downtime.

==[ BUG DETAILS ]==
Type of bug:          Crash due to NULL pointer dereference

CVSS v2:              AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVSS Base Score:      6.8
CVSS Temporal Score:  5.6

==[ TIMELINE ]==
Times are in UTC+2
2015-08-13 00:20    Bug reported privately to UnrealIRCd team
2015-08-13 07:55    First response
2015-08-13 16:05    Bug confirmed by developer
2015-08-15 16:15    Patched
2015-08-16 09:00    Source and binary releases ready
2015-08-16 15:05    Security advisory sent out

==[ REFERENCES ]==
This advisory (and updates to it, if any) is available from:
https://www.unrealircd.org/txt/unrealsecadvisory.20150816.txt
Forum thread:
https://forums.unrealircd.org/viewtopic.php?t=8401