Skip to content

Commit

Permalink
Add ZNC vulnerability blog post
Browse files Browse the repository at this point in the history 
Co-authored-by: She <she@libera.chat>
Co-authored-by: Melissa Draper <el@libera.chat>
Co-authored-by: bakerst-221b <86150350+bakerst-221b@users.noreply.github.com>
  • Loading branch information
@A-UNDERSCORE-D @TheDaemoness
@meldra @bakerst-221b
4 people committed Jul 3, 2024
1 parent 9366303 commit cc5837d
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions content/_posts/2024-07-03-zncpsa.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
title: PSA: Critical vulnerability in ZNC's modtcl
author: She, el
---

TL;DR - If you are using a version of modtcl that is NOT from
[ZNC 1.9.1][191changelog] (distribution versions may differ) or newer,
**update or unload it immediately**.

In coordination with other IRC networks and ZNC providers, we're sending out a
global notice today about a vulnerability in a non-default core ZNC module,
modtcl. Please unload this module until it can be upgraded to a patched
version.

Modtcl in ZNC versions prior to 1.9.1 contains an injection vulnerability
([CVE-2024-39844]) that allows channel operators to run arbitrary ZNC
commands as a ZNC user in their channel. This exploit can be used to
compromise NickServ accounts or channels. Attacks may also leverage other
modules or vulnerabilities to compromise of the system user account running
ZNC.

Luckily, modtcl is not loaded by default. To check if you have modtcl loaded,
run `/quote ZNC listmods` to see the list of loaded modules. If you have
access to the ZNC's config file, you may additionally search for the line
`LoadModule = modtcl`.

Prior to this announcement, to protect folks who are idle, Libera's servers
were patched to reduce the impact of this vulnerability on Libera. Our
mitigation will result in some kick messages being blanked out. Other networks
have undertaken their own mitigations as they see fit. Please ask them
directly if you have questions.

We appreciate your help in ensuring that everyone gets updated as soon as
possible! We encourage you to contact ZNC using friends who are idle. Please
also keep us informed in `#libera-hotline` about folks trying to take advantage
of this vulnerability.

[CVE-2024-39844]: https://www.cve.org/CVERecord?id=CVE-2024-39844
[191changelog]: https://wiki.znc.in/ChangeLog/1.9.1

0 comments on commit cc5837d

Please sign in to comment.