Prosody XMPP server advisory 2021-07-22 (Remote Information Disclosure) Project : Prosody XMPP server URL : https://prosody.im/ Date : 2021-07-22 **References** - Advisory (HTML): https://prosody.im/security/advisory_20210722/ - Advisory (text): https://prosody.im/security/advisory_20210722.txt - Link to patch: https://prosody.im/security/advisory_20210722/1.patch This advisory details a new security vulnerability discovered in the Prosody.im XMPP server software. ~~There is no fixed version released yet. We are disclosing the issue because it has been mentioned in public and admins can apply a workaround (see below).~~ A fix for this issue is available in Prosody 0.11.10, we advise everyone affected to upgrade. Information Disclosure in the Multi-User-Chat component ------------------------------------------------------- CVE : CVE-2021-37601 CVSS : 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:T/RC:C/CR:H/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:N/MA:N) CWEs : CWE-284 Affected versions : All versions since 0.11.0 Fixed versions : 0.11.10 **Description** It was discovered that Prosody exposes the list of entities (Jabber/XMPP addresses) affiliated (part of) a Multi-User chat to any user, even if they are currently not part of the chat or if their affiliation would not let them become part of the chat, if the `whois` room configuration was set to `anyone`. This allows any entity to access the list of admins, members, owners and banned entities of any federated XMPP group chat of which they know the address if it is hosted on a vulnerable Prosody server. **Affected configurations** All Multi-User chat rooms hosted on an affected Prosody version which are configured to share the real addresses of occupants with all other occupants ("non-anonymous"). The impact is particularly high for rooms which have this option set in combination with "members-only" (to allow only entities which have at least "members" affiliation to take part in the chat). Unfortunately, this configuration is a pre-requisite for using the state-of-the-art OMEMO end-to-end encryption system. **Mitigating factors** A client may choose a sufficiently random name for such private group chats and set it to be not listed publicly. This prevents unaffiliated attackers from exploiting the vulnerability, as long as the address of the room is not leaked. The public jabber chat room search engine has been modified to not return any members-only rooms for now. **Workaround** ~~As there is no release yet, operators of Prosody servers are advised to apply the following workaround.~~ **The recommended mitigation is to upgrade to Prosody 0.11.10, released on 2021-08-03.** Follow the manual patching instructions only if you cannot immediately upgrade. This advisory has a patch attached, it can be applied to any Prosody installation from 0.11.0 to 0.11.9. The patch is already applied in 0.11.10. If the patch is applied manually and your Prosody installation is managed by a package manager (such as apt or dnf), a future update will revert the change. To do so, open a normal shell on the server and locate the file muc.lib.lua. It should exist in a directory structure `modules/muc/muc.lib.lua`. On debian, it is found in `/usr/lib/prosody/modules/muc/muc.lib.lua`. Navigate to the directory containing muc.lib.lua and apply the attached patch using `patch -p1 < 1.patch`. * Link to patch: Now reload the MUC component (this can be done without any downtime or impact on operations. This can be done via Ad-Hoc commands or the telnet console using `module:reload("muc")`. If you have neither enabled, a restart of prosody is required. After the reload of the module or restart of prosody, the Information Disclosure vulnerability is fixed. **Fix** This issue is fixed in Prosody 0.11.10. ~~The attached patch is considered a viable fix of the issue. Distributions are encouraged to pick it up ASAP, even before an official release by the Prosody team.~~ **Attribution** The reporter has declined attribution, but we thank them for disclosing the issue to us.