Not on version 4.1.1 of libotr? Now is a good time to upgrade
Security researchers have discovered a critical vulnerability in libotr / Off-the-Record Messaging (OTR), a popular library used in secure messaging software.
Several instant messengers such as ChatSecure, Pidgin, Adium and Kopete are affected by the critical vulnerability in libotr, which was discovered by Markus Vervier German application security outfit X41 D-Sec.
The memory corruption flaw means that by sending specially-crafted large messages, an attacker could crash any application using libotr in such a way as that malicious code is subsequently executed.
Exploitation is, thankfully, far from trivial, as the researchers explain in an advisory note.
In order to successfully trigger the vulnerability, an attacker must be able to send a data message of more than 5.5 gigabytes to a victim in order to pass the check “require_len(datalen)”.
Due to the support of fragmented OTR messages assembled by libotr this is possible in practice.
By sending 275 messages of size 20MB each, X41 was able to make libotr process such a data message successfully on a system with 8GB of ram and 15GB of swap space.
As data types for lenp and other lengths of the message are 64 bit large size_t types on x86_64 architectures huge messages of multiple gigabytes are possible.
Sending such a message to a pidgin client took only a few minutes on a fast network connection without visible signs of any attack to a user.
Version 4.1.0 and below of libotr is vulnerable, so it’s time to upgrade to the patched version, libotr 4.1.1.
The vulnerability was discovered during an internal code audit at X41 D-Sec.
Off-the-Record Messaging (OTR) is a protocol for secure messaging and communication in insecure environments. ®
Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy