Icecast Streaming Media Server Forum Index Icecast Streaming Media Server
Icecast is a Xiph Foundation Project
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Icecast and vulnerable to the POODLE attack

 
Post new topic   Reply to topic    Icecast Streaming Media Server Forum Index -> Icecast Server
View previous topic :: View next topic  
Author Message
JohnnyOh



Joined: 10 Feb 2009
Posts: 50
Location: Germany

PostPosted: Mon Oct 20, 2014 3:05 pm    Post subject: Icecast and vulnerable to the POODLE attack Reply with quote

Hi,

as mentioned I succeeded in installing SSL to my icecast.

Unfortunately tehre are some issues I am not able to solve:

How do I disable SSL 3 on my Icecast?

https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

Is there any chance to disable SSL 3 ?

Edit:

There seem to be also vulnerabilities to

"Crime" attack (https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls)
Forward Secrecy (https://en.wikipedia.org/wiki/Forward_secrecy)

If tehre are any possibilities to solve this issues, please tell me
_________________
Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)

shoutcast 1.9.5 (debian)
Back to top
View user's profile Send private message
dm8tbr



Joined: 09 Feb 2013
Posts: 45
Location: icecast.org

PostPosted: Sun Oct 26, 2014 7:34 am    Post subject: Reply with quote

I'd recommend to use an version of openSSL that's not vulnerable to those in the first place.
If after that there is something specific to how Icecast uses openSSL that creates a security problem, then we should address it.
Back to top
View user's profile Send private message Visit poster's website
JohnnyOh



Joined: 10 Feb 2009
Posts: 50
Location: Germany

PostPosted: Mon Oct 27, 2014 1:12 pm    Post subject: Reply with quote

Thanks for your reply. I already spent a lot of time in this issue, but did not yet succeeded.

I have a Debian Wheezy with icecast 2.4 and openssl-1.0.1e.

So Openssl shozuld be fixed, but the server is still vulnerable.

I expect the "application" itself has to be the feature to disable SSLv3 or use enable "TLS_FALLBACK_SCSV"

It would be great, if you could tell me what to do.
_________________
Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)

shoutcast 1.9.5 (debian)
Back to top
View user's profile Send private message
dm8tbr



Joined: 09 Feb 2013
Posts: 45
Location: icecast.org

PostPosted: Sun Nov 02, 2014 5:02 pm    Post subject: Reply with quote

We're working on a general overhaul of our openSSL usage in Icecast and will release most of it as part of Icecast 2.4.1 very soon.

If you want to do something right now and are on Debian:
apt-get source icecast2
apt-get build-dep icecast2
apt-get install libssl-dev
cd icecast2
Apply the two patches from https://trac.xiph.org/ticket/2071 and https://trac.xiph.org/ticket/2072 or add them to the patch queue in the debian directory
dpkg-buildpackage
cd ..
dpkg -i icecast2…deb

The cipher list you could just as well put in your config without recompiling:
<paths>

<ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS</ssl-allowed-ciphers>

It might work to disable SSLv3 through it, but I haven't tested that fully:
<ssl-allowed-ciphers>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:-SSLv3</ssl-allowed-ciphers>
Back to top
View user's profile Send private message Visit poster's website
JohnnyOh



Joined: 10 Feb 2009
Posts: 50
Location: Germany

PostPosted: Thu Nov 27, 2014 4:38 pm    Post subject: Reply with quote

Thank you for your hints.

If some is needed to ensure security with icecast 2.4 please follow these instructions:

1. add "deb http://http.us.debian.org/debian/ testing non-free contrib main" to the sources list in debian
2. install libc6 from repository "testing"
3. Download http://ftp.de.debian.org/debian/pool/main/o/openssl/openssl_1.0.1j-1_i386.deb
4. Install openssl from downloaded package
5. install libssl1.0.0
6. remove libssl-dev
7. remove testing repository from sources-list
8. restart all services using libc
9. check at https://www.ssllabs.com/ssltest/analyze.html

Afterwards the server will not be vulnerable to poodle anymore.

Please note that you are using these instructions by your risk. It works for my instances. It may be possible that the corresponding update are already in the main repository. I did not check anymore.
_________________
Icecast 2.4.0 (debian)
and
icecast 2.3.2-kh32 (debian)

shoutcast 1.9.5 (debian)
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Icecast Streaming Media Server Forum Index -> Icecast Server All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2002 phpBB Group
subRebel style by ktauber