CRITICAL Vulnerability in libotr (OTR/Off-the-Record Messaging) - Current TAILS Version Affected - Avoid

I know that a lot of you here use Pidgin, Tor Messenger, Audium and other OTR-enabled clients to chat with vendors and other users. It has come to my attention that there is a memory corruption vulnerability in libotr versions 4.1.0 and below. There is a confirmed patch in libotr 4.1.1. However, the most recent TAILS version (2.2 - released March 8th) ships with pidgin-otr 4.0.1 (libotr 4.1.0) which is vulnerable according to this report.

X41 claims that there was a successful proof-of-concept:

In order to successfully trigger the vulnerability, an attacker must be able to send a data message of more than 5.5 gigabytes to a victim in order to pass the check "require_len(datalen)". Due to the support of fragmented OTR messages assembled by libotr this is possible in practice. By sending 275 messages of size 20MB each, X41 was able to make libotr process such a data message successfully on a system with 8GB of ram and 15GB of swap space. As data types for lenp and other lengths of the message are 64 bit large size_t types on x86_64 architectures huge messages of multiple gigabytes are possible. Sending such a message to a pidgin client took only a few minutes on a fast network connection without visible signs of any attack to a user.

It's not clear whether X41 was able to create a functional exploit or not. They do state

A proof of concept triggering a heap overwrite and crash in the pidgin-otr plugin for the popular pidgin messenger on x86_64 Linux architectures is available.

For now I would advise novice users to avoid using a jabber client with OTR built in (such as Pidgin in TAILS 2.2) until a fix is out. However, if you know what you're doing, you can install the latest version of the OTR plugin before connecting to your jabber server.

I know we have some very technically literate users here so if I glossed over any facts, please do correct me. I understand that TAILS should protect against attacks like these by default, but I feel it's better to be safe than sorry.

Edit: it seems that pidgin-otr and libotr have different versioning. pidgin-otr version 4.0.1 contains libotr version 4.1.0. However, TAILS still ships with the vulnerable version released in Oct 2014. The safe version (pidgin-otr 4.0.2/libotr 4.1.1) was released Mar 9 2016.


Comments


[2 Points] honestlyimeanreally:

This has little practicality or uses besides crashing things and maybe your box, correct?

I guess what I'm trying to say is there isn't a way to deanonymize tails users with this exploit, right?

(Either way update your tails, people!)


[2 Points] MDMangel:

On the tails front page it ask for the help of it's users to bring things like this to their attention. Have you left them a message on their site? Thank you for bringing this here and letting us know.


[1 Points] GreenEyezxz:

An overwrite of a heap or stack or memory would let an attacker execute code on the target.


[1 Points] Caymanquestion:

I know we have some very technically literate users here so if I glossed over any facts, please do correct me

You have high hopes in our community :P