CVE-2016-1232

moderate-risk
Published 2016-01-12

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to spoof servers via a brute force attack.

Do I need to act?

-
0.71% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (13)

Prosody
Prosody
Prosody
Prosody
Prosody
Prosody
Prosody
Prosody
Prosody

Affected Vendors

Debian Prosody Fedoraproject

References (14)

Patch http://blog.prosody.im/prosody-0-9-9-security-release/
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.ht...
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.ht...
http://www.debian.org/security/2016/dsa-3439
http://www.openwall.com/lists/oss-security/2016/01/08/5
https://prosody.im/issues/issue/571
Vendor Advisory https://prosody.im/security/advisory_20160108-2/
Patch http://blog.prosody.im/prosody-0-9-9-security-release/
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175829.ht...
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175868.ht...
http://www.debian.org/security/2016/dsa-3439
http://www.openwall.com/lists/oss-security/2016/01/08/5
https://prosody.im/issues/issue/571
Vendor Advisory https://prosody.im/security/advisory_20160108-2/
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 17/34 · Moderate