Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

One-X mobile XMPP security? 1

Status
Not open for further replies.

gmacdonald78

Programmer
May 4, 2012
49
GB
Hello all,

We have a site that uses one-x mobile via an SBCE (two wire configuration) and they have recently had a penetration test conducted on their network. The following was found:

[highlight #FCE94F]The Extensible Messaging and Presence Protocol (XMPP) service in use on one of the assessed hosts supports the plaintext authentication mechanisms.
As a result, any client-side services authenticating to the affected service may do so without encrypting authentication credentials. An attacker located in a suitable network position to intercept traffic could therefore harvest user authentication data, which could be used as part of further attacks against the wider environment (particularly if these credentials are associated with internal domain-based management services).
This finding affects the following host: 83.244.xxx.xxx:5222
o resolve this issue xxxxxxxxxx’ should remove support for plaintext authentication within the affected XMPP service, such that any clients must initiate an encrypted session using the 'STARTTLS' command.
As version information relating to the underlying XMPP software in use could not be obtained, please refer to vendor-specific documentation for further details on how this can be achieved.[/highlight]

Anyone had experience of this, i cant find any information regarding disabling the plaintext authentication? Any help would be greatly appreciated.
 
I don't have the answer but this is a very interesting question !

I had already notice that a lot of communication between clients and 1XP use plain text password (activation email, xml config files) but they are mainly exchanged using https.
what you are talking about is that XMPP communications on 5222 are not encrypted. If there is a place to change this behavior it should be on XMPP hidden web config:

Avaya KB said:
For security, the XMPP admin console is not enabled by default. If enabled for maintenance or troubleshooting, you must disable the admin console again afterwards.

To enable the Admin console: (Linux)
1. Login as root user.
2. Enter cd /opt/Avaya/oneXportal/openfire/bin
3. At the prompt, enter: sh AdminConsoleManager.sh enable
4. To restart the service, enter: service onexportal restart

But use with caution, I think modification of XMPP server is not supported by Avaya ;)
 
FYI all responce from Avaya T4:

All XMPP connections on port 5222 start off as unencrypted. But before any password is sent the connection is upgraded to TLS. This upgrade is mandatory, the client
cannot elect to have the connection stay unencrypted. So the password is never
sent in the clear.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top