BigBlueButton Denial-of-Service Vulnerability via Poll Submission Mutation

A denial-of-service vulnerability has been identified in BigBlueButton versions prior to 3.0.13. This issue allows any authenticated user to freeze or crash the entire server by exploiting the polling feature's 'Choices' response type. The vulnerability arises from the server's failure to properly validate the size of the 'answerIds' array in the 'pollSubmitUserVote' GraphQL mutation. By submitting a malicious payload with a massive array, an attacker can disrupt the current meeting and potentially all meetings on the server, causing them to become unresponsive. Version 3.0.13 includes a patch for this vulnerability, and no known workarounds are available.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the current meeting becomes unresponsive, and this issue can extend to all meetings on the server, causing a widespread crash of the BigBlueButton backend.

Reproduction

To reproduce this vulnerability, join an active BigBlueButton meeting and start a poll with the 'Choices' response type. Intercept the GraphQL request that submits the poll answers using a proxy tool like Burp Suite. Replace the default 'answerIds' payload with an oversized array containing hundreds of thousands of entries. After forwarding the modified request, the meeting will freeze, and attempting to join other meetings or create a new one on the same server will result in an error.

Remediation

Users are advised to upgrade to BigBlueButton version 3.0.13, which includes the necessary patch. Instructions for updating can be found in the BigBlueButton documentation.