CVE-2019-16235
📋 TL;DR
CVE-2019-16235 is an origin validation vulnerability in Dino's XMPP message carbons implementation that allows attackers to spoof message sources. This enables message injection and impersonation attacks within XMPP conversations. Users of Dino XMPP client versions before 2019-09-10 are affected.
💻 Affected Systems
- Dino XMPP client
📦 What is this software?
Dino by Dino
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers can inject malicious messages appearing to come from trusted contacts, enabling social engineering, credential theft, or malware distribution within XMPP conversations.
Likely Case
Message spoofing allowing impersonation of contacts, potentially leading to information disclosure or manipulation of conversations.
If Mitigated
Limited impact with proper message verification and user awareness, though trust in message authenticity remains compromised.
🎯 Exploit Status
Exploitation requires XMPP network access and ability to send crafted carbons messages. Technical details and proof-of-concept are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version from 2019-09-10 or later
Vendor Advisory: https://gultsch.de/dino_multiple.html
Restart Required: Yes
Instructions:
1. Update Dino to version 2019-09-10 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade dino' (Debian/Ubuntu) or 'sudo dnf update dino' (Fedora). 3. Restart Dino client.
🔧 Temporary Workarounds
Disable Message Carbons
allTemporarily disable the vulnerable message carbons feature to prevent exploitation.
In Dino settings: Settings → Advanced → uncheck 'Enable Message Carbons'
🧯 If You Can't Patch
- Disable message carbons feature in Dino settings
- Use alternative XMPP client until Dino can be updated
🔍 How to Verify
Check if Vulnerable:
Check Dino version: if version date is before 2019-09-10, system is vulnerable.Check Version:
dino --version or check About dialog in Dino GUIVerify Fix Applied:
Verify Dino version is 2019-09-10 or later and message carbons feature works without error.📡 Detection & Monitoring
Log Indicators:
- Unusual message patterns
- Messages with mismatched source identifiers
- XMPP carbons errors
Network Indicators:
- Abnormal XMPP carbons traffic patterns
- Suspicious message forwarding requests
SIEM Query:
xmpp.carbons.message AND (source_ip != expected_source OR message.origin_validation_failed)🔗 References
- http://www.openwall.com/lists/oss-security/2019/09/12/5
- https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930
- https://gultsch.de/dino_multiple.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5TMGQ5Q6QMIFG4NVUWMOWW3GIPGWQZVF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZBNQAOBWTIOKNO4PIYNX624ACGUXSXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YUBM7GDZBB6MZZALDWYRAPNV6HJNLNMC/
- https://seclists.org/bugtraq/2019/Sep/31
- https://usn.ubuntu.com/4306-1/
- https://www.debian.org/security/2019/dsa-4524
- http://www.openwall.com/lists/oss-security/2019/09/12/5
- https://github.com/dino/dino/commit/e84f2c49567e86d2a261ea264d65c4adc549c930
- https://gultsch.de/dino_multiple.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5TMGQ5Q6QMIFG4NVUWMOWW3GIPGWQZVF/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZBNQAOBWTIOKNO4PIYNX624ACGUXSXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YUBM7GDZBB6MZZALDWYRAPNV6HJNLNMC/
- https://seclists.org/bugtraq/2019/Sep/31
- https://usn.ubuntu.com/4306-1/
- https://www.debian.org/security/2019/dsa-4524
