INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

One-X mobile XMPP security?

One-X mobile XMPP security?

(OP)
[b]Hello all,

We have a site that uses one-x mobile via an SBCE (two wire configuration) and they have recently had a penetration test conducted on their network. The following was found:

The Extensible Messaging and Presence Protocol (XMPP) service in use on one of the assessed hosts supports the plaintext authentication mechanisms.
As a result, any client-side services authenticating to the affected service may do so without encrypting authentication credentials. An attacker located in a suitable network position to intercept traffic could therefore harvest user authentication data, which could be used as part of further attacks against the wider environment (particularly if these credentials are associated with internal domain-based management services).
This finding affects the following host: 83.244.xxx.xxx:5222
o resolve this issue xxxxxxxxxx’ should remove support for plaintext authentication within the affected XMPP service, such that any clients must initiate an encrypted session using the 'STARTTLS' command.
As version information relating to the underlying XMPP software in use could not be obtained, please refer to vendor-specific documentation for further details on how this can be achieved.


Anyone had experience of this, i cant find any information regarding disabling the plaintext authentication? Any help would be greatly appreciated.

RE: One-X mobile XMPP security?

I don't have the answer but this is a very interesting question !

I had already notice that a lot of communication between clients and 1XP use plain text password (activation email, xml config files) but they are mainly exchanged using https.
what you are talking about is that XMPP communications on 5222 are not encrypted. If there is a place to change this behavior it should be on XMPP hidden web config:

Quote (Avaya KB)

For security, the XMPP admin console is not enabled by default. If enabled for maintenance or troubleshooting, you must disable the admin console again afterwards.

To enable the Admin console: (Linux)
1. Login as root user.
2. Enter cd /opt/Avaya/oneXportal/openfire/bin
3. At the prompt, enter: sh AdminConsoleManager.sh enable
4. To restart the service, enter: service onexportal restart

But use with caution, I think modification of XMPP server is not supported by Avaya ;)

RE: One-X mobile XMPP security?

(OP)
FYI all responce from Avaya T4:

All XMPP connections on port 5222 start off as unencrypted. But before any password is sent the connection is upgraded to TLS. This upgrade is mandatory, the client
cannot elect to have the connection stay unencrypted. So the password is never
sent in the clear.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close