Patch for serious vulnerability in libotr encryption library is available
In version 4.1.0 and earlier of the off-the-record encryption protocol OTR, it is possible to execute arbitrary code by sending a very large message. Users with fast connections are especially vulnerable. Version 4.1.1 of the libotr library fixes the vulnerability.
The German company X41 D-Sec says it discovered the vulnerability through a code review. According to the description, it is not easy for an attacker to exploit the vulnerability known as cve-2016-2851. This requires that a message with a size of 5.5GB is sent.
The researchers drew up a proof of concept, in which they sent 275 messages of 20MB each. This eventually led to a heap overflow on 64-bit systems, which allowed arbitrary code to be run. The researchers used a test system with 8GB of ram and 15GB of swap space. With a fast network connection, the attack could be carried out without this being noticeable to the victim.
Libotr is used in chat programs such as Pidgin and Adium, among others, which makes them vulnerable. Libotr is an implementation of the off-the-record encryption protocol, which provides authentication and encryption in online communications. In general, the protocol is considered very safe. It was also announced this week that Tor Messenger is implementing OTR support for Twitter private messages. The update to the patched 4.1.1 version is now available.