Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem: V3 protocol handler vulnerable to downgrade attacks #1273

Closed
hintjens opened this issue Dec 4, 2014 · 1 comment

Comments

@hintjens
Copy link
Member

commented Dec 4, 2014

It is easy to bypass the security mechanism in 4.1.0 and 4.0.5 by sending a ZMTP v2 or earlier header. The library accepts such connections without applying its security mechanism.

Solution: if security is defined on a socket, reject all V2 and earlier connections, unconditionally.

Fixed by #6cf120 and related commits.

@hintjens hintjens changed the title Problem: security mechanism is not applied to old protocols Problem: V3 protocol handler is vulnerable to downgrade attacks Dec 4, 2014

@hintjens hintjens changed the title Problem: V3 protocol handler is vulnerable to downgrade attacks Problem: V3 protocol handler vulnerable to downgrade attacks Dec 4, 2014

@hintjens

This comment has been minimized.

Copy link
Member Author

commented Dec 5, 2014

Backported to 4.0.x and 4.1.x.

@hintjens hintjens closed this Dec 5, 2014

bluerise pushed a commit to bitrig/bitrig-ports that referenced this issue May 13, 2015
Imported From OpenBSD
Security fix for V3 protocol downgrade: zeromq/libzmq#1273
testing/ok aja@

Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo added a commit to bitrig/bitrig-ports that referenced this issue May 21, 2015
Security fix for V3 protocol downgrade: zeromq/libzmq#1273
testing/ok aja@

Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo added a commit to bitrig/bitrig-ports that referenced this issue May 26, 2015
Security fix for V3 protocol downgrade: zeromq/libzmq#1273
testing/ok aja@

Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo added a commit to bitrig/bitrig-ports that referenced this issue May 28, 2015
Security fix for V3 protocol downgrade: zeromq/libzmq#1273
testing/ok aja@

Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
jcvernaleo added a commit to bitrig/bitrig-ports that referenced this issue Jul 7, 2015
Security fix for V3 protocol downgrade: zeromq/libzmq#1273
testing/ok aja@

Written by: Jasper Lievisse Adriaanse <jasper@openbsd.org>
hakrdinesh pushed a commit to hakrtech/openbsd-ports0-test that referenced this issue Jan 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.