UnrealIRCd 5 and UnrealIRCd 6 can be crashed by a regular user when a certain command is sent. This results in all users being disconnected from the server. There is no other risk than crashing (no buffer overflow or anything, no risk of remote code execution).

If you have any deny dcc { } blocks in the config file or spamfilters on the 'd' (dcc) target then the server can be crashed. This is true for many servers as there is a deny dcc { } block in the example configuration file (example.conf).

All U5 and U6 versions before January 28, 2022 are affected, so:

  • UnrealIRCd 5.0.0 - 5.2.3
  • UnrealIRCd 6.0.0 - 6.0.2-rc1

We recommend admins to apply the hot-patch (see next) ASAP which will fix the issue with zero downtime.

Apply hot-patch; no restart needed
*NIX users can fix this issue without needing to restart their IRC server. Windows users will have to upgrade (see next section).

Go to your UnrealIRCd installation directory and then run:

cd /home/USER/unrealircd
./unrealircd hot-patch dcc_crash

This should end with the message "Done! All should be good now.". It is a good idea to double-check on IRC that your server is fixed, see the end of this news article.

The command from above is the recommended method. If instead you prefer to fiddle with patch files and know how to apply these, then they can be fetched, we have 4 variants: 6.0.x / 5.2.x / 5.0.5-5.0.9 / 5.0.0-5.0.4. Another alternative is to upgrade to 6.0.2 or 5.2.4 (see next).

Alternative: Upgrading
You can also choose to upgrade your entire UnrealIRCd. For example, because you want the latest UnrealIRCd 6 features, or because you are on Windows and cannot apply the hot-patch. For this we have released two new UnrealIRCd versions:

  • UnrealIRCd 5.2.4: compared to previous release the only thing extra is the patch for the crash and a version bump
  • UnrealIRCd 6.0.2: compared to previous release it contains lots of enhancements, fixes and of course also the patch for the crash and version bump

*NIX users typically upgrade to this version by running:

./unrealircd upgrade

You can also manually download and install UnrealIRCd from sisrv.net/files.

Verifying the server is now OK / Checking vulnerable / not vulnerable
As an IRCOp you can check on IRC whether the hot-patch has been applied successfully, or if you have upgraded OK, or if the server is still crashable (still has the bug). This is a good idea to check.



Sunday, January 30, 2022

« Back

Powered by WHMCompleteSolution