Developers of the Matrix decentralized communications platform have warned of critical vulnerabilities in the matrix-js-sdk, matrix-ios-sdk and matrix-android-sdk2 libraries that allow server administrators to impersonate other users and read messages in end-to-end encrypted (E2EE) chats. The vulnerabilities are caused by bugs in individual implementations of the Matrix protocol and are not problems of the protocol itself. Currently, the project has released updates to the problematic SDKs and some of the client applications built on their basis.
To successfully carry out an attack, access to a home computer controlled by the attacker is required. server (homeserver - a server for storing client history and accounts). Using end-to-end encryption on the client side prevents the administrator Server interfering with messaging, but the vulnerabilities identified make it possible to bypass this protection. The issues affect the main Matrix client, Element (formerly Riot), for web, desktop, iOS, and Android, as well as third-party client applications, including Cinny, Beeper, SchildiChat, Circuli, and Synod.im. The vulnerabilities do not affect the matrix-rust-sdk, hydrogen-sdk, Matrix Dart SDK, mautrix-python, mautrix-go, and matrix-nio libraries, or the Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks, and Pantalaimon applications.
There are three main attack scenarios:
- The Matrix server administrator can break emoji-based verification (SAS, Short Authentication Strings) when using cross-signatures and impersonate another user. The issue is caused by a vulnerability (CVE-2022-39250) in the matrix-js-sdk code related to mixing the handling of device IDs and cross-signature keys.
- An attacker in control of the server can spoof a trustworthy sender and pass a dummy key to intercept messages from other users. The issue is caused by a vulnerability in matrix-js-sdk (CVE-2022-39251), matrix-ios-sdk (CVE-2022-39255) and matrix-android-sdk2 (CVE-2022-39248), which caused the client to incorrectly accept messages addressed to devices encrypted using the Megolm protocol instead of Olm, attributing the messages to the Megolm sender rather than the actual sender.
- Using the vulnerabilities mentioned in the previous paragraph, the server administrator can also add a dummy spare key to the user account to extract the keys used to encrypt messages.
The researchers who identified the vulnerability also demonstrated attacks that add a third-party user to a chat or attach a third-party device to the user. The attacks are based on the fact that the service messages used to add users to the chat are not tied to the keys of the chat creator and can be generated by the server administrator. The developers from the Matrix project categorized these vulnerabilities as minor, since such manipulations will not go unnoticed - if a user is substituted, he will be displayed in the list of chat users, and when a device is added, a warning will be displayed, and the device will be marked as unverified (in this case, immediately after adding the rogue device will begin to receive the public keys needed to decrypt the messages).
Source: opennet.ru
