Impact
IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects.
This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.
The issue occurred:
- For
mntner objects where all password hash names (MD5-PW and CRYPT-PW) were in lower or mixed case in the auth attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the export_destination setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected.
- For any GraphQL queries that queried the
auth field on mntner objects.
- For any GraphQL queries that queried the
objectText field on the journal field on mntner objects, if the nrtm_access_list setting permitted journal access.
The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.
Patches
This has been fixed in IRRd 4.2.3 and the main branch.
Versions in the 4.1.x series never were affected.
Workarounds
Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually for 4.2.x (tested on 4.2.2) or main.
References
For further detail, see the release notes for 4.2.3.
For more information
If you have any questions or comments about this advisory:
Impact
IRRd did not always filter password hashes in query responses relating to
mntnerobjects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects.This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.
The issue occurred:
mntnerobjects where all password hash names (MD5-PWandCRYPT-PW) were in lower or mixed case in theauthattribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with theexport_destinationsetting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected.authfield onmntnerobjects.objectTextfield on thejournalfield onmntnerobjects, if thenrtm_access_listsetting permitted journal access.The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.
Patches
This has been fixed in IRRd 4.2.3 and the main branch.
Versions in the 4.1.x series never were affected.
Workarounds
Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually for 4.2.x (tested on 4.2.2) or main.
References
For further detail, see the release notes for 4.2.3.
For more information
If you have any questions or comments about this advisory: