CVE-2016-9928 – CVE-2016-9928 is a roster push vulnerability in... (How to Fix)

Q: What is the severity of CVE-2016-9928?

CVE-2016-9928 has a CVSS score of 7.4 (HIGH). CVE-2016-9928 is a roster push vulnerability in MCabber XMPP client that allows attackers to manipulate contact rosters. Remote attackers can add themselves to victims' contact lists, potentially intercepting communications or gaining unauthorized access to group chats and associated privileges. This affects MCabber users running versions before 1.0.4.

📋 TL;DR

CVE-2016-9928 is a roster push vulnerability in MCabber XMPP client that allows attackers to manipulate contact rosters. Remote attackers can add themselves to victims' contact lists, potentially intercepting communications or gaining unauthorized access to group chats and associated privileges. This affects MCabber users running versions before 1.0.4.

💻 Affected Systems

Products:

MCabber

Versions: All versions before 1.0.4

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MCabber XMPP client, not servers. Requires XMPP connectivity to be exploited.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, interception of all communications, unauthorized access to private group chats, and privilege escalation within XMPP networks.

🟠

Likely Case

Attackers add themselves to victims' contact lists, enabling message interception, social engineering attacks, and unauthorized access to group conversations.

🟢

If Mitigated

Limited impact with proper network segmentation, TLS encryption, and roster validation, though some information leakage may still occur.

🌐 Internet-Facing: HIGH - XMPP clients typically connect to internet-facing servers, making them directly accessible to remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to XMPP traffic, though external threats are more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted XMPP packets, which can be done by anyone with network access to the XMPP traffic. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.4 and later

Vendor Advisory: https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw

Restart Required: Yes

Instructions:

1. Download MCabber 1.0.4 or later from official sources. 2. Compile and install following standard procedures. 3. Restart MCabber client. 4. Verify version with 'mcabber --version'.

🔧 Temporary Workarounds

Disable roster auto-accept

linux

Configure MCabber to require manual approval for roster additions

Edit ~/.mcabber/mcabberrc and add: set roster_auto_accept = 0

Use TLS encryption

linux

Enforce TLS encryption for all XMPP connections to prevent packet interception

Edit ~/.mcabber/mcabberrc and ensure: set ssl = 1
set ssl_verify = 1

🧯 If You Can't Patch

Isolate XMPP traffic using network segmentation and firewalls
Monitor for unusual roster changes and implement strict roster management policies

🔍 How to Verify

Check if Vulnerable:

Run 'mcabber --version' and check if version is below 1.0.4

Check Version:

mcabber --version | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'

Verify Fix Applied:

Run 'mcabber --version' and confirm version is 1.0.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unexpected roster push notifications
Unauthorized contact additions in roster logs
XMPP roster modification events from unknown sources

Network Indicators:

Crafted XMPP roster push packets
Unusual XMPP traffic patterns during roster updates
XMPP packets with manipulated JID attributes

SIEM Query:

source="xmpp" AND (event="roster_push" OR event="contact_added") AND NOT user IN allowed_users

📊 Metadata

CVE ID: CVE-2016-9928

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-269

Published: February 6, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/11/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/09/29 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/94862 Third Party Advisory,VDB Entry
https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw Patch,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 Exploit,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1403790 Exploit,Issue Tracking,Third Party Advisory
https://gultsch.de/gajim_roster_push_and_message_interception.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00031.html Mailing List,Third Party Advisory
https://usn.ubuntu.com/4506-1/ Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00130.html Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/12/11/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/02/09/29 Mailing List,Third Party Advisory
http://www.securityfocus.com/bid/94862 Third Party Advisory,VDB Entry
https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw Patch,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845258 Exploit,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1403790 Exploit,Issue Tracking,Third Party Advisory
https://gultsch.de/gajim_roster_push_and_message_interception.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/06/msg00031.html Mailing List,Third Party Advisory
https://usn.ubuntu.com/4506-1/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9928, you might also want to check these: