An gano rashin lahani (CVE-2021-40823, CVE-2021-40824) a cikin mafi yawan aikace-aikacen abokin ciniki don dandamalin sadarwa na Matrix, yana ba da damar bayanai game da maɓallan da aka yi amfani da su don aika saƙonni a cikin tattaunawar ɓoye-zuwa-ƙarshe (E2EE) don zama. samu. Maharin da ya keta ɗaya daga cikin masu amfani da taɗi zai iya ɓata saƙon da aka aika zuwa wancan mai amfani a baya daga aikace-aikacen abokin ciniki mara ƙarfi.
Nasarar aiki yana buƙatar samun dama ga asusun mai karɓar saƙon. Ana iya samun dama ta hanyar zube sigogin asusu ko ta hanyar hacking na uwar garken Matrix wanda ta cikinsa mai amfani ke haɗawa. Lalacewar na haifar da babban haɗari ga masu amfani da rufaffen ɗakunan hira waɗanda aka haɗa sabar Matrix da maharan ke sarrafawa. Masu gudanar da irin waɗannan sabar na iya ƙoƙarin yin kwaikwayon masu amfani da uwar garken don su saƙon taɗi da aka aika daga aikace-aikacen abokin ciniki mara ƙarfi.
Ana haifar da lahani ta hanyar kurakurai masu ma'ana a cikin aiwatar da maɓallin sake kunnawa da aka gabatar a cikin matrix-js-sdk <12.4.1 (CVE-2021-40823), matrix-android-sdk2 <1.2.2 (CVE-2021-40824) , matrix -rust-sdk <0.4.0, FamedlySDK <0.5.0 da Nheko ≤ 0.8.2. Ayyukan da aka dogara akan matrix-ios-sdk, matrix-nio da ɗakunan karatu na libolm ba su da saukin kamuwa da lahani.
Saboda haka, rashin lahani yana bayyana a cikin duk aikace-aikacen da ke karɓar lambar matsala kuma ba sa shafar ka'idojin Matrix da Olm/Megolm kai tsaye. Musamman, matsalar tana shafar babban abokin ciniki na Matrix Element (tsohon Riot) don Yanar Gizo, tebur da Android, da aikace-aikacen abokin ciniki na ɓangare na uku da ɗakunan karatu, gami da FluffyChat, Nheko, Cinny da SchildChat. Matsalar ba ta bayyana a cikin abokin ciniki na hukuma don dandamali na iOS, da kuma a cikin Chatty, Hydrogen, mautrix, purple-matrix da aikace-aikacen Siphon.
An gano raunin da ya faru yayin binciken tsaro na abokin ciniki na Element. An fitar da gyara yanzu ga duk abokan cinikin da abin ya shafa. An shawarci masu amfani da su shigar da sabuntawa nan da nan kuma su ɗauki abokan ciniki a layi kafin shigar da sabuntawar. Babu wata shaida na cin gajiyar raunin kafin buga facin. Ba shi yiwuwa a tantance gaskiyar harin ta amfani da daidaitaccen abokin ciniki da rajistan ayyukan uwar garken, amma tun da harin yana buƙatar sasantawa a cikin asusun, masu gudanarwa na iya bincikar kasancewar masu shiga cikin shakku ta amfani da rajistan ayyukan tantancewa akan sabar su, kuma masu amfani za su iya kimanta jerin na'urorin da aka haɗa. zuwa asusun su don sake haɗawa na baya-bayan nan da amana na canje-canjen matsayi.
Hanya na raba maɓalli, a cikin aiwatar da abin da aka sami lahani, yana ba abokin ciniki wanda ba shi da maɓalli don yanke saƙo don neman maɓalli daga na'urar mai aikawa ko wasu na'urorinsa. Misali, irin wannan damar yana da mahimmanci don tabbatar da ɓarna tsoffin saƙonni akan sabuwar na'urar mai amfani ko kuma idan mai amfani ya rasa maɓallan da ke akwai. Ƙimar ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙa'ida ya tsara ta tsohuwa don kada a amsa buƙatun maɓalli kuma don aika su ta atomatik zuwa ingantattun na'urori na mai amfani iri ɗaya kawai. Abin takaici, a aikace-aikacen aiwatarwa ba a cika wannan buƙatu ba kuma an sarrafa buƙatun aika maɓalli ba tare da tantance na'urar da ta dace ba.
source: budenet.ru