Prosody security advisory 2021-05-12
This advisory details 5 new security vulnerabilities discovered in the Prosody.im XMPP server software. All issues are fixed in the 0.11.9 release default configuration.
1/5: DoS via insufficient memory consumption controls
It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. Lua 5.2 is the default and recommended Lua version for Prosody 0.11.x series.
2/5: DoS via repeated TLS renegotiation causing excessive CPU consumption
It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server.
Support for disabling renegotiation depends on OpenSSL 1.1.1+ and LuaSec 0.7+.
3/5: Use of timing-dependent string comparison with sensitive values
It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
4/5: Use of mod_proxy65 is unrestricted in default configuration
mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients.
It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server’s bandwidth.
5/5: Undocumented dialback-without-dialback option insecure
The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server-to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled.