Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 31 May 2018 19:31:02 +0100
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2018-10847] prosody: insufficient stream header validation

Prosody security advisory 2018-05-31
====================================

CVE-2018-10847
------------

Project
:   Prosody XMPP server

URL
:   https://prosody.im/

CVE
:   CVE-2018-10847

Date
:   2018-05-31

Affected versions
:   0.9.x prior to 0.9.14, 0.10.x prior to 0.10.2. All prior series affected.

Fixed versions
:   0.9.14, 0.10.2

Description
-----------

Due to insufficient validation of client-provided parameters during XMPP
stream restarts, authenticated users may override the realm associated
with their session, potentially bypassing security policies and allowing
impersonation.

Details
-------

Prosody did not verify that the virtual host associated with a user
session remained the same across stream restarts.

In practice this means that a user may authenticate to XMPP host A
and migrate their authenticated session to XMPP host B of the same
Prosody instance.

Note that successful authentication to host A is required to initiate
the attack. This includes SASL ANONYMOUS.

Overriding the authenticated username is not possible via this exploit,
and this limits impersonation to usernames on host B that the attacker
also has access to on host A. In the case of ANONYMOUS authentication,
the username is random and enforced by the server.

If a user has the account user1@...ta.example, they may impersonate
user1@...tb.example, with security policies of host B applied.

Affected configurations
-----------------------

Prosody deployments configured with multiple virtual hosts are
vulnerable.

Standard TCP connections and websocket connections are affected,
but BOSH connections are not affected - i.e. deployments where
the only access to Prosody is via BOSH are not vulnerable.

Temporary mitigation
--------------------

Patch available.

-  stable 0.10 branch:
https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch
- old stable 0.9 branc:
https://prosody.im/security/advisory_20180531/issue1147-0.9.patch

Advice
------

All users should upgrade to at least 0.9.14, 0.10.2 or check their OS
distribution for security updates. Users of development branches (0.10,
trunk) should upgrade to the latest nightly builds.

Credits
-------

Reported by Princess Pepperoni from nonfree.pizza

Links
-----

  - https://issues.prosody.im/1147
  - https://blog.prosody.im/prosody-0-10-2-security-release/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.