CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java

Georg Lukas, rt-solutions.de, 2014-08-05

Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence written in Java. Smack prior to version 4.0.2 is vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the server certificate matches the hostname of the connection.

Affected versions

Details

Smack is using Java's SSLSocket, which checks the peer certificate using an X509TrustManager, but does not perform hostname verification. Therefore, it is possible to redirect the traffic between a Smack-using application and a legitimate XMPP server through the attacker's server, merely by providing a valid certificate for a domain under the attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom ServerTrustManager implementation was used, which was supplied with the connection's server name, and performed hostname verification. However, it failed to verify the basicConstraints and nameConstraints of the certificate chain (CVE-2014-0363) and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom TrustManager did not benefit from ServerTrustManager and are vulnerable as well, unless their own TrustManager implementation explicitly performs hostname verification.

Mitigation

Users of the Smack library are advised to upgrade to Smack 4.0.2, and then use connectionConfiguration.setHostnameVerifier() with a reasonable HostnameVerifier implementation. A proper hostname verifier MUST be configured to close the vulnerability.

For Smack 3.x users, a backported commit has been created. Here, a HostnameVerifier implementation needs to be supplied via connectionConfiguration.setHostnameVerifier() as well.

When using the official JRE, the internal class sun.security.util.HostnameChecker can be wrapped as described here.

If Apache's HttpClient library is available, its StrictHostnameVerifier can be used.

On Android, MemorizingTrustManager provides both certificate checking and hostname verification with interactive fallback, allowing the user to decide about the trustworthiness of a server.

Affected Applications

Smack is a library used by different applications. Therefore, the authors of the following Smack-based applications have been contacted to coordinate updated releases:

The following Smack-based applications were not affected:

Timeline