Original Release Date: 2012-08-21
Last Updated: 2012-08-21
The Server Dialback protocol is a proof-of-possession technology used between XMPP servers to provide identity verification based on the Domain Name System (DNS); the basic approach is that when a receiving server accepts a server-to-server connection from an initiating server, it does not process traffic over the connection until it has verified the initiating server’s key with an authoritative DNS entry for the initiating server. Additionally, the protocol is used to negotiate whether the receiving server is accepting stanzas for the target domain. The goal of the protocol is to help prevent address spoofing on the XMPP network, which it has effectively done since deployed on the XMPP network in October 2000.
There are four steps to the protocol:
- Authorization Request: The initiating server sends a dialback key to the receiving server for a given domain pair consisting of a source domain and a target domain.
- Verify Request: the receiving server forwards the key to the authoritative server for the domain asserted by the initiating server.
- Verify Response: the authoritative server informs the receiving server whether the key is valid or invalid.
- Authorization Response: the receiving server reports the result of the negotiation to the initiating server.
Some XMPP server implementations have not been checking the Verify Response to ensure that the receiving server previously received an Authorization Request for the domain pair included in the Verify Response. Thus an attacking server has been able to send a Verify Response for domains that were never asserted by an initiating server, and some receiving servers would accept such domain pairs as validated.
In addition, some XMPP server implementations have not been checking the Authorization Response to ensure that the initiating server previously sent an Authorization Request for the domain pair included in the Authorization Response. Thus an attacking server has been able to send an Authorization Response for domains that were never asserted by an initiating server, and some initiating servers would accept such domain pairs as validated.
An attacking server could spoof one or more domains in communicating with a vulnerable server implementation, thereby avoiding the protections built into the Server Dialback protocol.
Upgrade to corrected server code.
|Apple Inc.||iChat Server||Affected||2012-08-07||2012-08-09|
|Cisco Systems, Inc.||Jabber XCP||Unaffected||2012-08-02||2012-08-02|
|IBM||Lotus Sametime Gateway||Unaffected||2012-08-09||2012-08-09|
|IceWarp||IceWarp Instant Messaging Server||Unknown||2012-08-02||2012-08-02|
|jabberd 1.x||jabberd 1.x||Unaffected||2012-08-02||2012-08-07|
|jabberd 2.x||jabberd 2.x||Fixed||2012-08-02||2012-08-08|
The vulnerability has been separately discovered by multiple teams in the past. Thanks to Philipp Hancke for recently reporting it in a more public fashion. Thanks also to Dave Cridland, Tomasz Sterna, and Matthew Wild for their feedback. This report was written by Peter Saint-Andre.
If you have feedback, comments, or additional information about this vulnerability, please send email to the firstname.lastname@example.org discussion list.