[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Uncontrolled Resource Consumption with Highly-Compressed XMPP Stanzas

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Uncontrolled Resource Consumption with Highly-Compressed XMPP Stanzas
From: Giancarlo Pellegrino <gpellegrino@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Apr 2014 19:48:14 +0200

Hi all,

Several XMPP server implementations that support application-layercompression (XEP-0138) suffer from an uncontrolled resource consumptionvulnerability (CWE-400). This vulnerability can be remotely exploited byattackers to mount Denial-of-Service attacks by sendinghighly-compressed XML elements over XMPP streams.


Affected servers are reported to:

1. Consume the virtual memory; in certain cases, it has been reportedthat servers are terminated by the operating system for out of memoryconditions;

2. Monopolize the use of the CPU;
3. In certain cases, not allow administrators to disable stream compression.

It is best to upgrade to corrected server code. An alternative,temporary workaround is to disable XMPP-level compression.

More details and the list of affected implementations can be found inthe security notice published by the XMPP Standards Foundation:


http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/


Thank you.

Best Regards,
Giancarlo Pellegrino

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Security Industry Scams and Lies
Next by Date: [FD] Phrack Security Advisory 2014-001 - Paper leak on release timeout
Previous by thread: [FD] Security Industry Scams and Lies
Next by thread: [FD] Phrack Security Advisory 2014-001 - Paper leak on release timeout
Index(es):
- Date
- Thread