InspIRCd Security Advisory 2021-01

Summary

InspIRCd before v3.10.0 contains a memory disclosure vulnerability. This vulnerability allows access to recently deallocated memory by any user able to connect to a server. It is believed that the most the most likely memory to be disclosed is information regarding messages sent to the calling user but other information can not currently be ruled out.

Thanks to @AndrioCelos for reporting this issue.

Affected Versions

This vulnerability is present in the following releases:

• v3.8.0
• v3.8.1
• v3.9.0

Recommended Action

This vulnerability is fixed in version 3.10.0. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then you should apply either this patch for v3.8.0 or v3.8.1 or this patch for v3.9.0 followed by running /RELOADMODULE core_user as a server operator.

History

• 2020-10-26 — The vulnerability was introduced.
• 2021-05-14 — A malformed PONG response was reported to the InspIRCd Team.
• 2021-05-14 — The cause of the malformed response was identified as a memory disclosure by the InspIRCd team and a fix was prepared.
• 2021-05-14 — InspIRCd v3.10.0 was released with a fix for the memory disclosure vulnerability.

References

• InspIRCd commit 4350a11c.
• CVE-2021-33586