Prosody XMPP Server Denial-of-Service Vulnerability via Memory Exhaustion

A denial-of-service vulnerability has been identified in Prosody XMPP server versions prior to 0.12.6 and 13.0.0 through 13.0.0 prior to 13.0.5. This vulnerability allows for memory exhaustion through XML parsing resource amplification, originating from unauthenticated connections. The issue exploits Prosody's per-connection rate limits, which are rendered less effective due to the disproportionate increase in memory usage compared to the volume of data sent by the attacker. Additionally, Prosody does not impose restrictions on the total number of connections, enabling an attacker to escalate the impact by utilizing multiple concurrent connections. The vulnerability also uncovers resource leaks, where a connection continues to deplete server resources even after the stream has ended.

Impact

Exploitation of this vulnerability leads to excessive memory consumption, causing the server to become unresponsive and fail to handle incoming requests. This denial-of-service effect can be particularly damaging to larger servers, where the sudden influx of resource-intensive connections can overwhelm the server's capacity to manage active processes.

Reproduction

The vulnerability can be reproduced by establishing multiple simultaneous connections to a Prosody XMPP server and sending XML stanzas that are intentionally complex and large, such as those weighing 256 KB. This can be done by opening a high number of connections from a single IP address and transmitting poorly structured XML that is difficult for the server to parse. The server's default settings do not limit the number of connections per IP, allowing for a significant amplification of the attack's impact.

Remediation

Prosody users are advised to upgrade to version 13.0.5 or 0.12.6. For additional protection, review and adjust system firewall limits to manage the rate and total number of connections from individual IP addresses. This can be done using tools like 'ufw' to limit incoming connection requests on standard XMPP ports.