Arch Linux: ASA-201410-4 Medium: Zeromq Downgrade and Replay Threat

Arch Linux Security Advisory ASA-201410-4
========================================
Severity: Medium
Date    : 2014-10-15
CVE-ID  : CVE-2014-7202 CVE-2014-7203
Package : zeromq
Type    : Man-in-the-middle downgrade and replay attack
Remote  : yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package zeromq before version 4.0.5-1 is vulnerable to
man-in-the-middle downgrade and replay attacks.

Resolution
=========
Upgrade to 4.0.5-1.

# pacman -Syu "zeromq>=4.0.5-1"

The problem has been fixed upstream in version 4.0.5.

Workaround
=========
None.

Description
==========
- CVE-2014-7202 (downgrade attack)
A bug in stream_engine.cpp allows man-in-the-middle attackers to conduct
downgrade attacks via a crafted connection request.

- CVE-2014-7203 (replay attack)
libzmq did not ensure that nonces are unique, which allows
man-in-the-middle attackers to conduct replay attacks via unspecified
vectors.

Impact
=====
A remote attacker is able to perform unauthorized modifications by using
a downgrade attack to target vulnerable protocol versions or by
performing a replay attack of a recorded communication.

References
=========
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7203
https://github.com/zeromq/libzmq/issues/1190
https://github.com/zeromq/libzmq/issues/1191
https://bugs.archlinux.org/task/42381
https://seclists.org/oss-sec/2014/q3/776