fkie_nvd - fkie_cve-2016-1232

fkie_cve-2016-1232

Vulnerability from fkie_nvd

Published

2016-01-12 20:59

Modified

2025-04-12 10:46

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.

References

URL	Tags
security@debian.org	http://blog.prosody.im/prosody-0-9-9-security-release/	Patch, Vendor Advisory
security@debian.org	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
security@debian.org	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
security@debian.org	http://www.debian.org/security/2016/dsa-3439
security@debian.org	http://www.openwall.com/lists/oss-security/2016/01/08/5
security@debian.org	https://prosody.im/issues/issue/571
security@debian.org	https://prosody.im/security/advisory_20160108-2/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://blog.prosody.im/prosody-0-9-9-security-release/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3439
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/01/08/5
af854a3a-2127-422b-91ae-364da2661108	https://prosody.im/issues/issue/571
af854a3a-2127-422b-91ae-364da2661108	https://prosody.im/security/advisory_20160108-2/	Vendor Advisory

Impacted products

Vendor	Product	Version
prosody	prosody	*
prosody	prosody	0.9.0
prosody	prosody	0.9.1
prosody	prosody	0.9.2
prosody	prosody	0.9.3
prosody	prosody	0.9.4
prosody	prosody	0.9.5
prosody	prosody	0.9.6
prosody	prosody	0.9.7
fedoraproject	fedora	22
fedoraproject	fedora	23
debian	debian_linux	7.0
debian	debian_linux	8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83032BB7-AE53-4E17-90F1-5BA84367BC23",
              "versionEndIncluding": "0.9.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "69BF8C97-A90B-4F1D-9300-F8BF411BDF69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B70430C5-9AA2-46D5-B7DD-ED08CB980F47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "19FFAE24-10BB-4F88-A0BF-105B4B6A702D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "668FF630-38DC-44BF-ACC8-2F519B788175",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DADDF029-1D55-4B48-B535-BBF677B10C29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB07BA0E-AA91-4773-AC6C-63C825D6D114",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6E8D0F2-485E-441A-94F5-5FEF084B38F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:prosody:prosody:0.9.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2251303-150D-439D-9AE3-A0B61379A0B4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
              "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
              "matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo mod_dialback en Prosody en versiones anteriores a 0.9.9 no genera adecuadamente valores aleatorios para para el token secreto en la autenticaci\u00f3n de devoluci\u00f3n de llamada de servidor a servidor, lo que hace que sea m\u00e1s f\u00e1cil para atacantes suplantar servidores a trav\u00e9s de un ataque de fuerza bruta."
    }
  ],
  "evaluatorComment": "\u003ca href=\"https://cwe.mitre.org/data/definitions/338.html\"\u003eCWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\u003c/a\u003e",
  "id": "CVE-2016-1232",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-01-12T20:59:10.200",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
    },
    {
      "source": "security@debian.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.debian.org/security/2016/dsa-3439"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
    },
    {
      "source": "security@debian.org",
      "url": "https://prosody.im/issues/issue/571"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://prosody.im/security/advisory_20160108-2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://blog.prosody.im/prosody-0-9-9-security-release/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/08/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://prosody.im/issues/issue/571"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://prosody.im/security/advisory_20160108-2/"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2016-1232 (GCVE-0-2016-1232)

Vulnerability from cvelistv5

Published

2016-01-12 20:00