Prosody XMPP Server Denial-of-Service Vulnerability via Memory Exhaustion

A denial-of-service vulnerability has been identified in Prosody XMPP server versions prior to 13.0.5, as well as in the 0.12 series prior to 0.12.6. This vulnerability allows for memory exhaustion through memory leaks caused by unauthenticated connections. The issue arises because Prosody's per-connection rate limits are ineffective against the amplified memory usage, and there are no limits on the total number of connections, enabling increased impact through multiple concurrent connections. Additionally, the vulnerability exposes resource leaks that persist even after a connection stream has ended.

Impact

Exploitation of this vulnerability leads to excessive memory consumption, causing memory exhaustion on the server, which can disrupt normal operations and potentially cause the server to become unresponsive.

Remediation

Users are advised to upgrade to Prosody version 13.0.5 or 0.12.6. Additionally, it is recommended to review and adjust system firewall limits to manage the rate and total number of connections to the server. This can be done using tools like 'ufw' to limit incoming connection requests on standard XMPP ports.