Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJt9-x4hcHPjWShOPMrZDQRoUvhJ7ZDo5ntANoTvR-m5ma2w6w@mail.gmail.com>
Date: Thu, 31 May 2018 19:31:02 +0100
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2018-10847] prosody: insufficient stream header validation

Prosody security advisory 2018-05-31
====================================

CVE-2018-10847
------------

Project
:   Prosody XMPP server

URL
:   https://prosody.im/

CVE
:   CVE-2018-10847

Date
:   2018-05-31

Affected versions
:   0.9.x prior to 0.9.14, 0.10.x prior to 0.10.2. All prior series affected.

Fixed versions
:   0.9.14, 0.10.2

Description
-----------

Due to insufficient validation of client-provided parameters during XMPP
stream restarts, authenticated users may override the realm associated
with their session, potentially bypassing security policies and allowing
impersonation.

Details
-------

Prosody did not verify that the virtual host associated with a user
session remained the same across stream restarts.

In practice this means that a user may authenticate to XMPP host A
and migrate their authenticated session to XMPP host B of the same
Prosody instance.

Note that successful authentication to host A is required to initiate
the attack. This includes SASL ANONYMOUS.

Overriding the authenticated username is not possible via this exploit,
and this limits impersonation to usernames on host B that the attacker
also has access to on host A. In the case of ANONYMOUS authentication,
the username is random and enforced by the server.

If a user has the account user1@...ta.example, they may impersonate
user1@...tb.example, with security policies of host B applied.

Affected configurations
-----------------------

Prosody deployments configured with multiple virtual hosts are
vulnerable.

Standard TCP connections and websocket connections are affected,
but BOSH connections are not affected - i.e. deployments where
the only access to Prosody is via BOSH are not vulnerable.

Temporary mitigation
--------------------

Patch available.

-  stable 0.10 branch:
https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch
- old stable 0.9 branc:
https://prosody.im/security/advisory_20180531/issue1147-0.9.patch

Advice
------

All users should upgrade to at least 0.9.14, 0.10.2 or check their OS
distribution for security updates. Users of development branches (0.10,
trunk) should upgrade to the latest nightly builds.

Credits
-------

Reported by Princess Pepperoni from nonfree.pizza

Links
-----

  - https://issues.prosody.im/1147
  - https://blog.prosody.im/prosody-0-10-2-security-release/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.