[ASA-202105-11] prosody: multiple issues

Thu May 20 18:05:56 UTC 2021

Arch Linux Security Advisory ASA-202105-11
==========================================

Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920
          CVE-2021-32921
Package : prosody
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1955

Summary
=======

The package prosody before version 1:0.11.9-1 is vulnerable to multiple
issues including denial of service, authentication bypass, information
disclosure and insufficient validation.

Resolution
==========

Upgrade to 1:0.11.9-1.

# pacman -Syu "prosody>=1:0.11.9-1"

The problems have been fixed upstream in version 0.11.9.

Workaround
==========

- CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a
list of XMPP domains that should be allowed to use the file transfer
proxy.

- CVE-2021-32918 can be partly mitigated using stricter settings for
stanza size limits, rate limits and garbage collection parameters, see
the referenced upstream advisory for more details.

- CVE-2021-32919 can be mitigated by removing or disabling the
‘dialback_without_dialback’ option.

- CVE-2021-32920 can be mitigated by setting the following ssl option
(or add to your existing one if you have one):

  ssl = {
    options = {
      no_renegotiation = true;
    }
  }

- CVE-2021-32921 can partly be mitigated by enabling and configuring
rate limits through mod_limits in order to lengthen the amount of time
required to successfully complete a timing attack.

Description
===========

- CVE-2021-32917 (insufficient validation)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. mod_proxy65 is a file transfer proxy provided
with Prosody to facilitate the transfer of files and other data between
XMPP clients.

It was discovered that the proxy65 component of Prosody allows open
access by default, even if neither of the users have an XMPP account on
the local server, allowing unrestricted use of the server's bandwidth.

The default configuration does not enable mod_proxy65 and is not
affected. With mod_proxy65 enabled, all configurations without a
'proxy65_acl' setting configured are affected.

- CVE-2021-32918 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that default settings leave
Prosody susceptible to remote unauthenticated denial-of-service (DoS)
attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.

- CVE-2021-32919 (authentication bypass)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. The undocumented option
‘dialback_without_dialback’ enabled an experimental feature for server-
to-server authentication. A flaw in this feature meant it did not
correctly authenticate remote servers, allowing a remote server to
impersonate another server when this option is enabled.

- CVE-2021-32920 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not disable
SSL/TLS renegotiation, even though this is not used in XMPP. A
malicious client may flood a connection with renegotiation requests to
consume excessive CPU resources on the server.

- CVE-2021-32921 (information disclosure)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not use a
constant-time algorithm for comparing certain secret strings when
running under Lua 5.2 or later. This can potentially be used in a
timing attack to reveal the contents of secret strings to an attacker.

Impact
======

A remote attacker could cause excessive use of the server's bandwidth
and resources, leading to denial of service, impersonate other servers,
or leak secret strings through timing attacks.

References
==========

https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration
https://hg.prosody.im/trunk/rev/65dcc175ef5b
https://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls
https://hg.prosody.im/trunk/rev/db8e41eb6eff
https://hg.prosody.im/trunk/rev/b0d8920ed5e5
https://hg.prosody.im/trunk/rev/929de6ade6b6
https://hg.prosody.im/trunk/rev/63fd4c8465fb
https://hg.prosody.im/trunk/rev/1937b3c3efb5
https://hg.prosody.im/trunk/rev/3413fea9e6db
https://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure
https://hg.prosody.im/trunk/rev/6be890ca492e
https://hg.prosody.im/trunk/rev/d0e9ffccdef9
https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
https://hg.prosody.im/trunk/rev/55ef50d6cf65
https://hg.prosody.im/trunk/rev/5a484bd050a7
https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
https://hg.prosody.im/trunk/rev/c98aebe601f9
https://hg.prosody.im/trunk/rev/13b84682518e
https://hg.prosody.im/trunk/rev/6f56170ea986
https://security.archlinux.org/CVE-2021-32917
https://security.archlinux.org/CVE-2021-32918
https://security.archlinux.org/CVE-2021-32919
https://security.archlinux.org/CVE-2021-32920
https://security.archlinux.org/CVE-2021-32921
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210520/5d31cab9/attachment.sig>