XMPP Service Operators - 2022-05-25


  1. SJM

    Zoom xmpp vulnerability FYI https://go.theregister.com/feed/www.theregister.com/2022/05/24/zoom_rce_bug_patched/

  2. Licaon_Kter

    SJM: who operates Zoom on their servers?

  3. SJM

    Only zoom AFAIK however others run xmpp servers and clients, and it might be useful to understand this oversight.

  4. thndrbvr

    So since that company is monetarily wealthy and hugely popular, how much code and money (or documentation, security audits, et. al.) have they been contributing to the wider XMPP ecosystem?

  5. Licaon_Kter

    thndrbvr: it's ~opensource~free so just put a note on the site, in the basement, unde the cupboard, behind the sign that reads "beware of the communism"

  6. Licaon_Kter

    thndrbvr: it's ~opensource~free so just put a note on the site, in the basement, under the cupboard, behind the sign that reads "beware of the communism"

  7. Licaon_Kter

    ejabberd is just GPL2 you silly libre fanboi, not AGPL...

  8. abdullah

    Where are Jabber's emails?

  9. ernst.on.tour

    > Where are Jabber's emails? *What* are Jabber's emails ?

  10. abdullah

    You cannot receive messages on your membership as an email

  11. abdullah

    > I wrote: > You cannot receive messages on your membership as an email Or rather, you use Jabber 's membership as your mailing address

  12. Licaon_Kter

    abdullah: you'd need some sort of xmpp-to-email gateway I guess

  13. abdullah

    > Licaon_Kter wrote: > abdullah: you'd need some sort of xmpp-to-email gateway I guess How is that

  14. mathieui

    thndrbvr: considering the scale at which zoom operates, I would suppose they are in a rather lucrative paid contract with the ejabberd company, which contributes to the ecosystem

  15. ernst.on.tour

    > abdullah: you'd need some sort of xmpp-to-email gateway I guess I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox"

  16. abdullah

    > ernst.on.tour wrote: > I've prepared a little python script that is running in my prosody-server and it listen on port 25 and "forward" as a xmpp-msg the senders email, subject and plaintext-body to your xmpp-account. > So you will get informed about wrong use of your xxmp-address and you are able to open your mail-client to answer him something like "Wrong address, please use a xmpp-client or deliver your mail to xyz@mailbox" Thanks

  17. RayTutu

    > SJM: who operates Zoom on their servers? FWIW, the vulnerability was in the expat XML library (used by ejabberd and others). Expat version 2.4.5 fixed the issue back in February. https://blog.hartwork.org/posts/expat-2-4-5-released/

  18. RayTutu

    At high level, someone could send a message to a user which could have appeared to come from the server due to a UTF-8 parsing vulnerability in libexpat. Exploitability was demonstrated with Zoom by causing the client to perform a software upgrade, which would be a malicious package.

  19. MattJ

    RayTutu, Zoom is not using libexpat, but gloox

  20. MattJ

    The Zoom RCE is different to the libexpat CVEs

  21. moparisthebest

    right but there are 2 libexpat CVEs in there and an additional ejabberd bug no one bothered reporting to ejabberd (I pinged them in their MUC yesterday)

  22. moparisthebest

    also pinged the only client anyone knows of that uses gloox which is vulnerable to the impersonation bug, which is Renga on Haiku

  23. moparisthebest

    actually might be ok if you've upgraded your expat https://github.com/processone/fast_xml/issues/46

  24. RayTutu

    MattJ: correct, I agree. I prefixed my statement with "high level" because it's actually a vulnerability chain but perhaps I shouldn't have. Vulnerabilities in the Zoom client (which uses gloox) were combined with a vulnerability in Zoom server (ejabberd/fast_xml/libexpat) to achieve results. The CVEs this community should be concerned about are the updates to libexpat and fast_xml. The other CVEs were specific to Zoom (RCE), but were _enabled_ by the expat vulnerability. Expat alone did not have an RCE vulnerability.

  25. RayTutu

    moparisthebest: from what I can tell, assuming your distribution has picked up expat 2.4.5 or later, I think it's fine.

  26. moparisthebest

    RayTutu, and anything using gloox, but as far as I know that's just the 1 client on Haiku

  27. moparisthebest

    gloox has not released a fix, I pinged the author with no response

  28. RayTutu

    Ah, right. I wasn't aware of that client.