CVE-2021-37601
📋 TL;DR
This vulnerability in Prosody's Multi-User Chat (MUC) module allows remote attackers to obtain sensitive information about chat room participants, including lists of admins, members, owners, and banned entities. It affects Prosody XMPP servers running versions 0.11.0 through 0.11.9 with common MUC configurations. Organizations using vulnerable Prosody instances for group chat are at risk of unauthorized information disclosure.
💻 Affected Systems
- Prosody XMPP Server
📦 What is this software?
Prosody by Prosody
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map organizational structures, identify key personnel, and gather intelligence for targeted attacks by obtaining complete membership lists of sensitive chat rooms.
Likely Case
Unauthorized users can enumerate participants in chat rooms, potentially revealing organizational relationships and contact information that should remain private.
If Mitigated
With proper access controls and network segmentation, impact is limited to information disclosure within authorized network segments.
🎯 Exploit Status
The vulnerability allows information disclosure without authentication in affected configurations, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.11.10 and later
Vendor Advisory: https://prosody.im/security/advisory_20210722/
Restart Required: Yes
Instructions:
1. Update Prosody to version 0.11.10 or later using your package manager. 2. Restart the Prosody service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable MUC module
allTemporarily disable the Multi-User Chat module if not required
# Edit prosody.cfg and comment out or remove 'muc' from modules_enabled
Restrict MUC access
allConfigure MUC rooms to require authentication and restrict access
# Configure prosody.cfg with: muc_room_default_public = false
# Set appropriate access controls for MUC rooms
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Prosody server
- Monitor for unusual XMPP traffic patterns and connection attempts
🔍 How to Verify
Check if Vulnerable:
Check Prosody version with 'prosodyctl about' or 'prosody --version' and verify if between 0.11.0-0.11.9Check Version:
prosodyctl aboutVerify Fix Applied:
Confirm version is 0.11.10 or later and test MUC functionality for proper access controls📡 Detection & Monitoring
Log Indicators:
- Unusual MUC room enumeration attempts
- Multiple failed authentication attempts to MUC rooms
- Unexpected information requests to muc.lib.lua
Network Indicators:
- Unusual XMPP traffic patterns to MUC components
- Multiple connection attempts from unknown sources
SIEM Query:
source="prosody.log" AND ("muc" OR "room") AND ("enumeration" OR "unauthorized" OR "disclosure")🔗 References
- http://www.openwall.com/lists/oss-security/2021/07/28/4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/
- https://prosody.im/
- https://prosody.im/security/advisory_20210722/
- http://www.openwall.com/lists/oss-security/2021/07/28/4
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7BZRRPCNOETB4MN4XSYPRBBKDIHO27DY/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EMKIOEP2CYWHVVUCNWISPE4AGH4IR7O2/
- https://prosody.im/
- https://prosody.im/security/advisory_20210722/
