Greetings. My name is Ley, and I have discovered a CRITICAL vulnerability in most XMPP servers that can bring down ANY SERVER IN SECONDS!
Please, read the article below and take action as soon as possible!
XMPKill is a vulnerability present in almost all XMPP server implementations, including Prosody and Ejabberd, which can be used for a DoS attack.
The essence: The attacker creates a bunch of valid XMPP connections and then sends BadXML. Essentially, this is XML that is difficult to parse.
Suppose an attacker opens 100 connections to a simple Prosody XMPP server and sends a stanza like this: <a>1<a>2<a>...</a></a></a> weighing 256 KB (Prosody's default limit). And… THE SERVER — DROPS DEAD.
For Ejabberd, you just need to increase the number of simultaneous connections and the stanza size. THAT'S IT.
How to fix? EASILY — SET LIMITS!
Simply put: limit the maximum size of a single stanza and the maximum number of connections from a single IP. The server will handle the rest.
Example for Prosody (prosody.cfg.lua):
max_stanza_size = 65536 c2s_limit = 10
Example for Ejabberd (ejabberd.yml):
listen:
- port: 5222
module: ejabberd_c2s
max_stanza_size: 65536
max_fsm_queue: 100
access:
max_user_sessions:
- 10: all
THIS IS NO JOKE. This vulnerability takes down even large servers.
A mass broadcasting has already been launched. Secure your servers RIGHT NOW before it's too late.
If you need a script to test your servers for the vulnerability — write to me on XMPP at: ley@unionium.org
Take care of your servers.
Yours, Ley.