Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure)

Project
:   Prosody XMPP server

URL
:   https://prosody.im/

Date
:   2021-07-22

**References**

 - Advisory (HTML): https://prosody.im/security/advisory_20210722/
 - Advisory (text): https://prosody.im/security/advisory_20210722.txt
 - Link to patch: https://prosody.im/security/advisory_20210722/1.patch

This advisory details a new security vulnerability discovered in the Prosody.im 
XMPP server software. ~~There is no fixed version released yet. We are
disclosing the issue because it has been mentioned in public and admins can
apply a workaround (see below).~~

A fix for this issue is available in Prosody 0.11.10, we advise everyone
affected to upgrade.

Information Disclosure in the Multi-User-Chat component
-------------------------------------------------------

CVE
: CVE-2021-37601

CVSS
: 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:T/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:N/MA:N)

CWEs
: CWE-284

Affected versions
: All versions since 0.11.0

Fixed versions
: 0.11.10

**Description**

It was discovered that Prosody exposes the list of entities (Jabber/XMPP
addresses) affiliated (part of) a Multi-User chat to any user, even if they
are currently not part of the chat or if their affiliation would not let
them become part of the chat, if the `whois` room configuration was set to
`anyone`.

This allows any entity to access the list of admins, members, owners and
banned entities of any federated XMPP group chat of which they know the
address if it is hosted on a vulnerable Prosody server.

**Affected configurations**

All Multi-User chat rooms hosted on an affected Prosody version which are
configured to share the real addresses of occupants with all other
occupants ("non-anonymous").

The impact is particularly high for rooms which have this option set in
combination with "members-only" (to allow only entities which have at least
"members" affiliation to take part in the chat). Unfortunately, this
configuration is a pre-requisite for using the state-of-the-art OMEMO
end-to-end encryption system.

**Mitigating factors**

A client may choose a sufficiently random name for such private group
chats and set it to be not listed publicly. This prevents unaffiliated
attackers from exploiting the vulnerability, as long as the address of the
room is not leaked.

The public jabber chat room search engine has been modified to not return
any members-only rooms for now.

**Workaround**

~~As there is no release yet, operators of Prosody servers are advised to
apply the following workaround.~~

**The recommended mitigation is to upgrade to Prosody 0.11.10, released
on 2021-08-03.** Follow the manual patching instructions only if you cannot
immediately upgrade.

This advisory has a patch attached, it can be applied to any Prosody
installation from 0.11.0 to 0.11.9. The patch is already applied in 0.11.10.
If the patch is applied manually and your Prosody installation is managed by
a package manager (such as apt or dnf), a future update will revert the change.

To do so, open a normal shell on the server and locate the file
muc.lib.lua. It should exist in a directory structure

    `modules/muc/muc.lib.lua`. 

On debian, it is found in 

    `/usr/lib/prosody/modules/muc/muc.lib.lua`.

Navigate to the directory containing muc.lib.lua and apply the attached
patch using `patch -p1 < 1.patch`.

* Link to patch: <https://prosody.im/security/advisory_20210722/1.patch>

Now reload the MUC component (this can be done without any downtime or
impact on operations. This can be done via Ad-Hoc commands or the telnet
console using `module:reload("muc")`. If you have neither enabled,
a restart of prosody is required.

After the reload of the module or restart of prosody, the Information
Disclosure vulnerability is fixed.

**Fix**

This issue is fixed in Prosody 0.11.10.

~~The attached patch is considered a viable fix of the issue.
Distributions are encouraged to pick it up ASAP, even before an
official release by the Prosody team.~~

**Attribution**

The reporter has declined attribution, but we thank them for disclosing
the issue to us.