Arch Linux 803 Published by

A prosody security update has been released for Arch Linux.



ASA-202105-11: prosody: multiple issues


Arch Linux Security Advisory ASA-202105-11
==========================================

Severity: High
Date : 2021-05-19
CVE-ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920
CVE-2021-32921
Package : prosody
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-1955

Summary
=======

The package prosody before version 1:0.11.9-1 is vulnerable to multiple
issues including denial of service, authentication bypass, information
disclosure and insufficient validation.

Resolution
==========

Upgrade to 1:0.11.9-1.

# pacman -Syu "prosody>=1:0.11.9-1"

The problems have been fixed upstream in version 0.11.9.

Workaround
==========

- CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a
list of XMPP domains that should be allowed to use the file transfer
proxy.

- CVE-2021-32918 can be partly mitigated using stricter settings for
stanza size limits, rate limits and garbage collection parameters, see
the referenced upstream advisory for more details.

- CVE-2021-32919 can be mitigated by removing or disabling the
‘dialback_without_dialback’ option.

- CVE-2021-32920 can be mitigated by setting the following ssl option
(or add to your existing one if you have one):

ssl = {
options = {
no_renegotiation = true;
}
}

- CVE-2021-32921 can partly be mitigated by enabling and configuring
rate limits through mod_limits in order to lengthen the amount of time
required to successfully complete a timing attack.

Description
===========

- CVE-2021-32917 (insufficient validation)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. mod_proxy65 is a file transfer proxy provided
with Prosody to facilitate the transfer of files and other data between
XMPP clients.

It was discovered that the proxy65 component of Prosody allows open
access by default, even if neither of the users have an XMPP account on
the local server, allowing unrestricted use of the server's bandwidth.

The default configuration does not enable mod_proxy65 and is not
affected. With mod_proxy65 enabled, all configurations without a
'proxy65_acl' setting configured are affected.

- CVE-2021-32918 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that default settings leave
Prosody susceptible to remote unauthenticated denial-of-service (DoS)
attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.

- CVE-2021-32919 (authentication bypass)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. The undocumented option
‘dialback_without_dialback’ enabled an experimental feature for server-
to-server authentication. A flaw in this feature meant it did not
correctly authenticate remote servers, allowing a remote server to
impersonate another server when this option is enabled.

- CVE-2021-32920 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not disable
SSL/TLS renegotiation, even though this is not used in XMPP. A
malicious client may flood a connection with renegotiation requests to
consume excessive CPU resources on the server.

- CVE-2021-32921 (information disclosure)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not use a
constant-time algorithm for comparing certain secret strings when
running under Lua 5.2 or later. This can potentially be used in a
timing attack to reveal the contents of secret strings to an attacker.

Impact
======

A remote attacker could cause excessive use of the server's bandwidth
and resources, leading to denial of service, impersonate other servers,
or leak secret strings through timing attacks.

References
==========

  https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration
  https://hg.prosody.im/trunk/rev/65dcc175ef5b
  https://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls
  https://hg.prosody.im/trunk/rev/db8e41eb6eff
  https://hg.prosody.im/trunk/rev/b0d8920ed5e5
  https://hg.prosody.im/trunk/rev/929de6ade6b6
  https://hg.prosody.im/trunk/rev/63fd4c8465fb
  https://hg.prosody.im/trunk/rev/1937b3c3efb5
  https://hg.prosody.im/trunk/rev/3413fea9e6db
  https://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure
  https://hg.prosody.im/trunk/rev/6be890ca492e
  https://hg.prosody.im/trunk/rev/d0e9ffccdef9
  https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
  https://hg.prosody.im/trunk/rev/55ef50d6cf65
  https://hg.prosody.im/trunk/rev/5a484bd050a7
  https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
  https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
  https://hg.prosody.im/trunk/rev/c98aebe601f9
  https://hg.prosody.im/trunk/rev/13b84682518e
  https://hg.prosody.im/trunk/rev/6f56170ea986
  https://security.archlinux.org/CVE-2021-32917
  https://security.archlinux.org/CVE-2021-32918
  https://security.archlinux.org/CVE-2021-32919
  https://security.archlinux.org/CVE-2021-32920
  https://security.archlinux.org/CVE-2021-32921