CVE-2021-34825
📋 TL;DR
Quassel IRC client versions through 0.13.1 fail to enforce SSL/TLS when started with the --require-ssl flag if a valid X.509 certificate is not available on the system. This allows network traffic to be transmitted in plaintext despite the SSL requirement flag. Users who enable --require-ssl for security are affected.
💻 Affected Systems
- Quassel IRC client
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Quassel by Quassel Irc
⚠️ Risk & Real-World Impact
Worst Case
All IRC communications including authentication credentials, private messages, and channel conversations are transmitted in plaintext, allowing interception and man-in-the-middle attacks.
Likely Case
Sensitive IRC communications are exposed to network eavesdropping when the client falls back to unencrypted connections.
If Mitigated
If proper certificate management is in place and the client successfully uses SSL/TLS, communications remain encrypted as intended.
🎯 Exploit Status
Exploitation requires network access to intercept unencrypted traffic; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.0 and later
Vendor Advisory: https://github.com/quassel/quassel/pull/581
Restart Required: Yes
Instructions:
1. Update Quassel to version 0.14.0 or later. 2. Ensure proper X.509 certificates are configured. 3. Restart the Quassel service.
🔧 Temporary Workarounds
Ensure valid SSL certificate
allManually configure a valid X.509 certificate before starting Quassel with --require-ssl flag
# Generate or obtain valid X.509 certificate
# Configure Quassel to use the certificate
Disable --require-ssl flag
allTemporarily disable SSL requirement until proper certificate is available
# Remove --require-ssl from startup command or configuration
🧯 If You Can't Patch
- Ensure valid X.509 certificates are properly configured before starting Quassel
- Monitor network traffic for unencrypted IRC communications and alert on detection
🔍 How to Verify
Check if Vulnerable:
Check if running Quassel version <= 0.13.1 with --require-ssl flag enabled but no valid certificate configuredCheck Version:
quasselclient --version or check package manager versionVerify Fix Applied:
Verify Quassel version is >= 0.14.0 and SSL/TLS connections are properly established📡 Detection & Monitoring
Log Indicators:
- Quassel startup logs showing SSL initialization failure
- Error messages about certificate issues
Network Indicators:
- Unencrypted IRC protocol traffic on network (port 6667 typically)
- Lack of TLS handshake when --require-ssl is enabled
SIEM Query:
source="quassel" AND ("SSL" OR "certificate") AND ("fail" OR "error" OR "not found")🔗 References
- https://github.com/quassel/quassel/pull/581
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JOFTSGJUJHCA3KGQBO6OZXWU7JFKVHMJ/
- https://github.com/quassel/quassel/pull/581
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZFWRN5P2WG23MWMVAEVV3YBHGFJHDSW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JOFTSGJUJHCA3KGQBO6OZXWU7JFKVHMJ/
