Georg Lukas, rt-solutions.de, 2014-08-05
Smack is an Open Source XMPP (Jabber) client library for instant messaging and presence written in Java. Smack prior to version 4.0.2 is vulnerable to TLS Man-in-the-Middle attacks, as it fails to check if the server certificate matches the hostname of the connection.
SSLContextis supplied via
Smack is using Java's
SSLSocket, which checks the peer certificate using an
X509TrustManager, but does not perform hostname verification. Therefore, it is possible to redirect the traffic between a Smack-using application and a legitimate XMPP server through the attacker's server, merely by providing a valid certificate for a domain under the attacker's control.
In Smack versions 2.2.0 to 3.4.1, a custom
ServerTrustManager implementation was used, which was supplied with the connection's server name, and performed hostname verification. However, it failed to verify the basicConstraints and nameConstraints of the certificate chain (CVE-2014-0363) and has been removed in Smack 4.0.0.
Applications using Smack 2.2.0 to 3.4.1 with a custom
TrustManager did not benefit from
ServerTrustManager and are vulnerable as well, unless their own
TrustManager implementation explicitly performs hostname verification.
Users of the Smack library are advised to upgrade to Smack 4.0.2, and then use
connectionConfiguration.setHostnameVerifier() with a reasonable
HostnameVerifier implementation. A proper hostname verifier MUST be configured to close the vulnerability.
For Smack 3.x users, a backported commit has been created. Here, a
HostnameVerifier implementation needs to be supplied via
connectionConfiguration.setHostnameVerifier() as well.
When using the official JRE, the internal class
sun.security.util.HostnameChecker can be wrapped as described here.
If Apache's HttpClient library is available, its
StrictHostnameVerifier can be used.
On Android, MemorizingTrustManager provides both certificate checking and hostname verification with interactive fallback, allowing the user to decide about the trustworthiness of a server.
Smack is a library used by different applications. Therefore, the authors of the following Smack-based applications have been contacted to coordinate updated releases:
The following Smack-based applications were not affected:
TrustManagerperforming hostname verification)