Matrix decentralized communication platform has published a security warning about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK).
A threat actor exploiting these flaws could break the confidentiality of Matrix communications and run man-in-the-middle attacks that expose message contents in a readable form.
Clients affected by the bugs are those using the matrix-js-sdk, matrix-ios-sdk, and matrix-android-sdk2, like Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im.
Other clients using a different encryption implementation (e.g. Hydrogen, ElementX, Nheko, FluffyChat, Syphon, Timmy, Gomuks, Pantalaimon) are not impacted.
Matrix underlines that the issues have been fixed and all that users need to do to keep their communications safe is apply the available updates to their IM clients.
Matrix’s announcement claims that exploiting the flaws is not an easy task and that they have seen no evidence of active exploitation.
Vulnerability details
The security issues are in the implementation of the encryption mechanisms and not in the protocol itself. They were discovered by researchers at Brave Software, the Royal Holloway University in London, and the University of Sheffield and disclosed responsibly to Matrix.
The group has also published a technical paper detailing their findings and presenting six attack examples that exploit the bugs.
In summary, the critical-severity flaws discovered by the team are the following:
CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, opening up the possibility of impersonating a trusted sender. The same flaw makes it possible for malicious homeserver admins to add backup keys to the target’s account.
CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients).
CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients).
Apart from the issues above, the following lower-severity issues were also found:
CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient’s end, so the severity of the bug drops.
CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients).
There are also two issues that have yet to receive an identification number. One of them is a problem that allows a malicious homeserver to fake invites on behalf of its users or to add devices to user accounts.
The second refers to using AES-CTR to encrypt attachments, secrets, and symmetric key backups without an AES initialization vector, which makes it insecure.
Matrix security
One thing that the researchers who discovered the flaws point out is that Matrix’s cryptographic building blocks are robust, yet the project appears to have a loose way of bringing everything together securely.
The variety of the bug types (insecure by design, protocol confusion, lack of domain separation, implementation bugs) and the fact that the impact is spread across multiple subprotocols and libraries appear to confirm this, as highlighted in the technical paper:
Besides the observed implementation and specification errors, these vulnerabilities highlight a lack of a unified and formal approach to security guarantees in Matrix.
Rather, the specification and implementations seem to have grown “organically” with new sub-protocols adding new functionalities and thus inadvertently subverting the security guarantees of the core protocol.
This suggests that, besides fixing the specific vulnerabilities reported here, Matrix/Megolm will need to receive a formal security analysis to establish confidence in the design.
Matrix is currently focusing on developing cleaner and safer 2nd and 3rd generation SDKs written in Rust, and it’s worth noting that the discovered flaws don’t impact those newer gen SDKs.
Thunderbird, that added support for Matrix VOIP and chat in version 102 released in June 2022, has also pushed a security update yesterday that addresses the issues.
