Arch Linux Security Advisory ASA-202105-11
=========================================
Severity: High
Date    : 2021-05-19
CVE-ID  : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920
          CVE-2021-32921
Package : prosody
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1955

Summary
======
The package prosody before version 1:0.11.9-1 is vulnerable to multiple
issues including denial of service, authentication bypass, information
disclosure and insufficient validation.

Resolution
=========
Upgrade to 1:0.11.9-1.

# pacman -Syu "prosody>=1:0.11.9-1"

The problems have been fixed upstream in version 0.11.9.

Workaround
=========
- CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a
list of XMPP domains that should be allowed to use the file transfer
proxy.

- CVE-2021-32918 can be partly mitigated using stricter settings for
stanza size limits, rate limits and garbage collection parameters, see
the referenced upstream advisory for more details.

- CVE-2021-32919 can be mitigated by removing or disabling the
‘dialback_without_dialback’ option.

- CVE-2021-32920 can be mitigated by setting the following ssl option
(or add to your existing one if you have one):

  ssl = {
    options = {
      no_renegotiation = true;
    }
  }

- CVE-2021-32921 can partly be mitigated by enabling and configuring
rate limits through mod_limits in order to lengthen the amount of time
required to successfully complete a timing attack.

Description
==========
- CVE-2021-32917 (insufficient validation)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. mod_proxy65 is a file transfer proxy provided
with Prosody to facilitate the transfer of files and other data between
XMPP clients.

It was discovered that the proxy65 component of Prosody allows open
access by default, even if neither of the users have an XMPP account on
the local server, allowing unrestricted use of the server's bandwidth.

The default configuration does not enable mod_proxy65 and is not
affected. With mod_proxy65 enabled, all configurations without a
'proxy65_acl' setting configured are affected.

- CVE-2021-32918 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that default settings leave
Prosody susceptible to remote unauthenticated denial-of-service (DoS)
attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.

- CVE-2021-32919 (authentication bypass)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. The undocumented option
‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not
correctly authenticate remote servers, allowing a remote server to
impersonate another server when this option is enabled.

- CVE-2021-32920 (denial of service)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not disable
SSL/TLS renegotiation, even though this is not used in XMPP. A
malicious client may flood a connection with renegotiation requests to
consume excessive CPU resources on the server.

- CVE-2021-32921 (information disclosure)

A security issue was found in the Prosody.im XMPP server software
before version 0.11.9. It was discovered that Prosody does not use a
constant-time algorithm for comparing certain secret strings when
running under Lua 5.2 or later. This can potentially be used in a
timing attack to reveal the contents of secret strings to an attacker.

Impact
=====
A remote attacker could cause excessive use of the server's bandwidth
and resources, leading to denial of service, impersonate other servers,
or leak secret strings through timing attacks.

References
=========
https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration
https://hg.prosody.im/trunk/rev/65dcc175ef5b
https://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls
https://hg.prosody.im/trunk/rev/db8e41eb6eff
https://hg.prosody.im/trunk/rev/b0d8920ed5e5
https://hg.prosody.im/trunk/rev/929de6ade6b6
https://hg.prosody.im/trunk/rev/63fd4c8465fb
https://hg.prosody.im/trunk/rev/1937b3c3efb5
https://hg.prosody.im/trunk/rev/3413fea9e6db
https://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure
https://hg.prosody.im/trunk/rev/6be890ca492e
https://hg.prosody.im/trunk/rev/d0e9ffccdef9
https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption
https://hg.prosody.im/trunk/rev/55ef50d6cf65
https://hg.prosody.im/trunk/rev/5a484bd050a7
https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
https://hg.prosody.im/trunk/rev/c98aebe601f9
https://hg.prosody.im/trunk/rev/13b84682518e
https://hg.prosody.im/trunk/rev/6f56170ea986
https://security.archlinux.org/CVE-2021-32917
https://security.archlinux.org/CVE-2021-32918
https://security.archlinux.org/CVE-2021-32919
https://security.archlinux.org/CVE-2021-32920
https://security.archlinux.org/CVE-2021-32921

ArchLinux: 202105-11: prosody: multiple issues

May 20, 2021

Summary

- CVE-2021-32917 (insufficient validation) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients.
It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
The default configuration does not enable mod_proxy65 and is not affected. With mod_proxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected.
- CVE-2021-32918 (denial of service)
A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3.
- CVE-2021-32919 (authentication bypass)
A security issue was found in the Prosody.im XMPP server software before version 0.11.9. The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled.
- CVE-2021-32920 (denial of service)
A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server.
- CVE-2021-32921 (information disclosure)
A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.

Resolution

Upgrade to 1:0.11.9-1. # pacman -Syu "prosody>=1:0.11.9-1"
The problems have been fixed upstream in version 0.11.9.

References

https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration https://hg.prosody.im/trunk/rev/65dcc175ef5b https://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls https://hg.prosody.im/trunk/rev/db8e41eb6eff https://hg.prosody.im/trunk/rev/b0d8920ed5e5 https://hg.prosody.im/trunk/rev/929de6ade6b6 https://hg.prosody.im/trunk/rev/63fd4c8465fb https://hg.prosody.im/trunk/rev/1937b3c3efb5 https://hg.prosody.im/trunk/rev/3413fea9e6db https://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure https://hg.prosody.im/trunk/rev/6be890ca492e https://hg.prosody.im/trunk/rev/d0e9ffccdef9 https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption https://hg.prosody.im/trunk/rev/55ef50d6cf65 https://hg.prosody.im/trunk/rev/5a484bd050a7 https://hg.prosody.im/trunk/rev/aaf9c6b6d18d https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values https://hg.prosody.im/trunk/rev/c98aebe601f9 https://hg.prosody.im/trunk/rev/13b84682518e https://hg.prosody.im/trunk/rev/6f56170ea986 https://security.archlinux.org/CVE-2021-32917 https://security.archlinux.org/CVE-2021-32918 https://security.archlinux.org/CVE-2021-32919 https://security.archlinux.org/CVE-2021-32920 https://security.archlinux.org/CVE-2021-32921

Severity
CVE-2021-32921
Package : prosody
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1955

Workaround

- CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy. - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details.
- CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option.
- CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one):
ssl = { options = { no_renegotiation = true; } }
- CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved