Openfire XMPP Server Identity Spoofing Vulnerability via Unsafe Common Name Parsing in X.509 Certificates

A vulnerability in Openfire's SASL EXTERNAL mechanism for client TLS authentication allows for identity spoofing. This issue arises from the improper extraction of user identities from X.509 certificates. Instead of accurately parsing the structured ASN.1 data, the application retrieves a provider-dependent string that can include unescaped special characters. In certain environments, such as SunJSSE, this flaw enables a malicious certificate to manipulate the Common Name (CN) extraction process. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, an attacker could impersonate another user. This vulnerability affects Openfire versions prior to 5.0.2 and 5.1.0, where the issue has been patched.

Impact

Exploitation of this vulnerability allows internal attackers to impersonate other users by manipulating X.509 certificate attributes, potentially leading to unauthorized access or actions on behalf of the impersonated user.

Remediation

Users are advised to upgrade to Openfire versions 5.0.2 or 5.1.0, where this vulnerability has been fixed. For those using earlier versions, a temporary workaround involves replacing the default CN parsing logic with a custom implementation that correctly handles X.509 certificates. This can be done by creating a Java class that uses the proper parsing methods, packaging it into a JAR file, and placing it in Openfire's lib directory. After updating the configuration to use the new mapper, Openfire should be restarted.