-
SJM
Zoom xmpp vulnerability FYI https://go.theregister.com/feed/www.theregister.com/2022/05/24/zoom_rce_bug_patched/
-
Licaon_Kter
SJM: who operates Zoom on their servers?
-
SJM
Only zoom AFAIK however others run xmpp servers and clients, and it might be useful to understand this oversight.
-
thndrbvr
So since that company is monetarily wealthy and hugely popular, how much code and money (or documentation, security audits, et. al.) have they been contributing to the wider XMPP ecosystem?
-
Licaon_Kter
thndrbvr: it's ~opensource~free so just put a note on the site, in the basement, unde the cupboard, behind the sign that reads "beware of the communism"✎ -
Licaon_Kter
thndrbvr: it's ~opensource~free so just put a note on the site, in the basement, under the cupboard, behind the sign that reads "beware of the communism" ✏
-
Licaon_Kter
ejabberd is just GPL2 you silly libre fanboi, not AGPL...
-
abdullah
Where are Jabber's emails?
-
ernst.on.tour
> Where are Jabber's emails? *What* are Jabber's emails ?
-
abdullah
You cannot receive messages on your membership as an email
-
abdullah
> I wrote: > You cannot receive messages on your membership as an email Or rather, you use Jabber 's membership as your mailing address
-
Licaon_Kter
abdullah: you'd need some sort of xmpp-to-email gateway I guess
-
abdullah
> Licaon_Kter wrote: > abdullah: you'd need some sort of xmpp-to-email gateway I guess How is that
-
mathieui
thndrbvr: considering the scale at which zoom operates, I would suppose they are in a rather lucrative paid contract with the ejabberd company, which contributes to the ecosystem
-
ernst.on.tour
> abdullah: you'd need some sort of xmpp-to-email gateway I guess I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox"
-
abdullah
> ernst.on.tour wrote: > I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. > So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox" Thanks
-
RayTutu
> SJM: who operates Zoom on their servers? FWIW, the vulnerability was in the expat XML library (used by ejabberd and others). Expat version 2.4.5 fixed the issue back in February. https://blog.hartwork.org/posts/expat-2-4-5-released/
-
RayTutu
At high level, someone could send a message to a user which could have appeared to come from the server due to a UTF-8 parsing vulnerability in libexpat. Exploitability was demonstrated with Zoom by causing the client to perform a software upgrade, which would be a malicious package.
-
MattJ
RayTutu, Zoom is not using libexpat, but gloox
-
MattJ
The Zoom RCE is different to the libexpat CVEs
-
moparisthebest
right but there are 2 libexpat CVEs in there and an additional ejabberd bug no one bothered reporting to ejabberd (I pinged them in their MUC yesterday)
-
moparisthebest
also pinged the only client anyone knows of that uses gloox which is vulnerable to the impersonation bug, which is Renga on Haiku
-
moparisthebest
actually might be ok if you've upgraded your expat https://github.com/processone/fast_xml/issues/46
-
RayTutu
MattJ: correct, I agree. I prefixed my statement with "high level" because it's actually a vulnerability chain but perhaps I shouldn't have. Vulnerabilities in the Zoom client (which uses gloox) were combined with a vulnerability in Zoom server (ejabberd/fast_xml/libexpat) to achieve results. The CVEs this community should be concerned about are the updates to libexpat and fast_xml. The other CVEs were specific to Zoom (RCE), but were _enabled_ by the expat vulnerability. Expat alone did not have an RCE vulnerability.
-
RayTutu
moparisthebest: from what I can tell, assuming your distribution has picked up expat 2.4.5 or later, I think it's fine.
-
moparisthebest
RayTutu, and anything using gloox, but as far as I know that's just the 1 client on Haiku
-
moparisthebest
gloox has not released a fix, I pinged the author with no response
-
RayTutu
Ah, right. I wasn't aware of that client.