XMPP Service Operators - 2022-05-25

Zoom xmpp vulnerability FYI https://go.theregister.com/feed/www.theregister.com/2022/05/24/zoom_rce_bug_patched/

SJM: who operates Zoom on their servers?

Only zoom AFAIK however others run xmpp servers and clients, and it might be useful to understand this oversight.

So since that company is monetarily wealthy and hugely popular, how much code and money (or documentation, security audits, et. al.) have they been contributing to the wider XMPP ecosystem?

thndrbvr: it's ~opensource~free so just put a note on the site, in the basement, under the cupboard, behind the sign that reads "beware of the communism" ✏

ejabberd is just GPL2 you silly libre fanboi, not AGPL...

Where are Jabber's emails?

> Where are Jabber's emails? *What* are Jabber's emails ?

You cannot receive messages on your membership as an email

> I wrote: > You cannot receive messages on your membership as an email Or rather, you use Jabber 's membership as your mailing address

abdullah: you'd need some sort of xmpp-to-email gateway I guess

> Licaon_Kter wrote: > abdullah: you'd need some sort of xmpp-to-email gateway I guess How is that

thndrbvr: considering the scale at which zoom operates, I would suppose they are in a rather lucrative paid contract with the ejabberd company, which contributes to the ecosystem

> abdullah: you'd need some sort of xmpp-to-email gateway I guess I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox"

> ernst.on.tour wrote: > I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. > So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox" Thanks

> SJM: who operates Zoom on their servers? FWIW, the vulnerability was in the expat XML library (used by ejabberd and others). Expat version 2.4.5 fixed the issue back in February. https://blog.hartwork.org/posts/expat-2-4-5-released/

At high level, someone could send a message to a user which could have appeared to come from the server due to a UTF-8 parsing vulnerability in libexpat. Exploitability was demonstrated with Zoom by causing the client to perform a software upgrade, which would be a malicious package.

RayTutu, Zoom is not using libexpat, but gloox

The Zoom RCE is different to the libexpat CVEs

right but there are 2 libexpat CVEs in there and an additional ejabberd bug no one bothered reporting to ejabberd (I pinged them in their MUC yesterday)

also pinged the only client anyone knows of that uses gloox which is vulnerable to the impersonation bug, which is Renga on Haiku

actually might be ok if you've upgraded your expat https://github.com/processone/fast_xml/issues/46

MattJ: correct, I agree. I prefixed my statement with "high level" because it's actually a vulnerability chain but perhaps I shouldn't have. Vulnerabilities in the Zoom client (which uses gloox) were combined with a vulnerability in Zoom server (ejabberd/fast_xml/libexpat) to achieve results. The CVEs this community should be concerned about are the updates to libexpat and fast_xml. The other CVEs were specific to Zoom (RCE), but were _enabled_ by the expat vulnerability. Expat alone did not have an RCE vulnerability.

moparisthebest: from what I can tell, assuming your distribution has picked up expat 2.4.5 or later, I think it's fine.

RayTutu, and anything using gloox, but as far as I know that's just the 1 client on Haiku

gloox has not released a fix, I pinged the author with no response

Ah, right. I wasn't aware of that client.