oss-sec mailing list archives

CVE Request: zeromq downgrade attack

From: Alessandro Ghedini <alessandro () ghedini me>
Date: Thu, 7 May 2015 16:49:08 +0200

[ CCing upstream mailing list ]

Hello,

From https://github.com/zeromq/libzmq/issues/1273 :

It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a
ZMTP v2 or earlier header. The library accepts such connections without
applying its security mechanism.

Solution: if security is defined on a socket, reject all V2 and earlier
connections, unconditionally.


A patch for the zeromq 4.0.x stable series is available at
https://github.com/zeromq/zeromq4-x/commit/b6e3e0f601e2c1ec1f3aac880ed6a3fe63043e51

AFAICT no CVE has been assigned (or requested) for this, and the issue has
been public since December of last year.

Could a CVE be assigned please?

Cheers

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: zeromq downgrade attack Alessandro Ghedini (May 07)
- Re: CVE Request: zeromq downgrade attack Salvatore Bonaccorso (May 10)
- Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 15)
- Re: CVE Request: zeromq downgrade attack cve-assign (May 21)
  - Re: CVE Request: zeromq downgrade attack Alessandro Ghedini (May 22)