PSA: Critical vulnerability in ZNC's modtcl

by She, el

TL;DR - If you are using a version of modtcl that is NOT from ZNC 1.9.1 (distribution versions may differ) or newer, update or unload it immediately.

In coordination with other IRC networks and ZNC providers, we’re sending out a global notice today about a vulnerability in a non-default core ZNC module, modtcl. Please unload this module until it can be upgraded to a patched version. You can unload this module by running /quote ZNC unloadmod modtcl.

Modtcl in ZNC versions prior to 1.9.1 contains an injection vulnerability (CVE-2024-39844) that allows channel operators to run arbitrary TCL code on ZNC instances present in their channel. This exploit can be used to compromise NickServ accounts, channels, or the system user account that is running ZNC.

Luckily, modtcl is not loaded by default. To check if you have modtcl loaded, run /quote ZNC listmods to see the list of loaded modules. If you have access to the ZNC’s config file, you may additionally search for the line LoadModule = modtcl.

Prior to this announcement, to protect folks who are idle, Libera’s servers were patched to reduce the impact of this vulnerability on Libera. Our mitigation will result in some kick messages being blanked out. Other networks have undertaken their own mitigations as they see fit. Please ask them directly if you have questions.

We appreciate your help in ensuring that everyone gets updated as soon as possible! We encourage you to contact ZNC-using friends who are idle. Please also keep us informed in #libera-hotline about folks trying to take advantage of this vulnerability.