Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3576736.366f73iyps@sinistra>
Date: Thu, 22 Jul 2021 17:03:36 +0200
From: Jonas Schäfer <j.wielicki@...ecware.net>
To: oss-sec <oss-security@...ts.openwall.com>
Cc: developers@...sody.im
Subject: Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) (CVE Request)

(NB: [1] suggested that posting to this list is still an acceptable way to 
request a CVE, especially if disclosure should happen immediately. Please let 
me know if that's not going to work, then I'll fill out the form.)

Project
:   Prosody XMPP server

URL
:   https://prosody.im/

Date
:   2021-07-22

**References**

 - Advisory (HTML): https://prosody.im/security/advisory_20210722/
 - Advisory (text): https://prosody.im/security/advisory_20210722.txt
 - Patch: https://prosody.im/security/advisory_20210722/1.patch

This advisory details a new security vulnerability discovered in the 
Prosody.im XMPP server software. **There is no fixed version released yet**. 
We are disclosing the issue because it has been mentioned in public and admins 
can apply a workaround (see below).

Information Disclosure in the Multi-User-Chat component
-------------------------------------------------------

CVE
: We have not requested a CVE yet and hereby do so.

CVSS
: 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:T/RC:C/CR:H/IR:X/
AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:N/MA:N)

CWEs
: CWE-284

Affected versions
: All versions since 0.11.0

Fixed versions
: None released yet

**Description**

It was discovered that Prosody exposes the list of entities (Jabber/XMPP
addresses) affiliated (part of) a Multi-User chat to any user, even if they
are currently not part of the chat or if their affiliation would not let
them become part of the chat, if the `whois` room configuration was set to
`anyone`.

This allows any entity to access the list of admins, members, owners and
banned entities of any federated XMPP group chat of which they know the
address if it is hosted on a vulnerable Prosody server.

**Affected configurations**

All Multi-User chat rooms hosted on an affected Prosody version which are
configured to share the real addresses of occupants with all other
occupants ("non-anonymous").

The impact is particularly high for rooms which have this option set in
combination with "members-only" (to allow only entities which have at least
"members" affiliation to take part in the chat). Unfortunately, this
configuration is a pre-requisite for using the state-of-the-art OMEMO
end-to-end encryption system.

**Mitigating factors**

A client may choose a sufficiently random name for such private group
chats and set it to be not listed publicly. This prevents unaffiliated
attackers from exploiting the vulnerability, as long as the address of the
room is not leaked.

The public jabber chat room search engine has been modified to not return
any members-only rooms for now.

**Workaround**

As there is no release yet, operators of Prosody servers are advised to
apply the following workaround.

This email has a patch attached. It can be applied to any Prosody 0.11.x
installation. If the installation is managed by a package manager (such
as apt or dnf), a future update will revert the change (though a future
update should bring the fix anyway).

To do so, open a normal shell on the server and locate the file
muc.lib.lua. It should exist in a directory structure

    `modules/muc/muc.lib.lua`.

On debian, it is found in

    `/usr/lib/prosody/modules/muc/muc.lib.lua`.

Navigate to the directory containing muc.lib.lua and apply the attached
patch using `patch -p1 < 1.patch`.

Now reload the MUC component (this can be done without any downtime or
impact on operations. This can be done via Ad-Hoc commands or the telnet
console using `module:reload("muc")`. If you have neither enabled,
a restart of prosody is required.

After the reload of the module or restart of prosody, the Information
Disclosure vulnerability is fixed.

**Fix**

The attached patch is considered a viable fix of the issue.
Distributions are encouraged to pick it up ASAP, even before an
official release by the Prosody team.

**Attribution**

This vulnerability was disclosed to the Prosody team indirectly and we
have no yet had a chance to ascertain if and how the original reporter
wants to be attributed. Due to the severity of the information
disclosure and the fact that it has also been talked about in public,
we wanted to announce the issue widely and officially. A proper
attribution will be filled in here once it has been agreed upon.
View attachment "1.patch" of type "text/x-patch" (633 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.