CVE-2022-39251

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

### Impact An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. ### Patches matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added: - Cleartext `m.room_key`, `m.forwarded_room_key` and `m.secret.send` to_device messages are discarded. - Secrets received from untrusted devices are discarded. - Key backups are only usable if they have a valid signature from a trusted device (no more local trust, or trust-on-decrypt). - The origin of a to-device message should only be determined by observing the Olm session which managed to decrypt the message, and not by using claimed sender_key, user_id, or any other fields controllable by the homeserver. ### Workarounds As this attack requires coordination between a malicious home server and an attacker, if you trust your home server no particular workaround is needed. Notice that the backup spoofing attack is a particularly sophisticated targeted attack. We are not aware of this attack being used in the wild, though specifying a false positive-free way of noticing malicious key backups key is challenging. As an abundance of caution, to avoid malicious backup attacks, you should not verify your new logins using emoji/QR verifications methods until patched. Prefer verifying with your security passphrase instead. ### References Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

### Impact An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. ### Patches matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added: - Cleartext `m.room_key`, `m.forwarded_room_key` and `m.secret.send` to_device messages are discarded. - Secrets received from untrusted devices are discarded. - Key backups are only usable if they have a valid signature from a trusted device (no more local trust, or trust-on-decrypt). - The origin of a to-device message should only be determined by observing the Olm session which managed to decrypt the message, and not by using claimed sender_key, user_id, or any other fields controllable by the homeserver. ### Workarounds As this attack requires coordination between a malicious home server and an attacker, if you trust your home server no particular workaround is needed. Notice that the backup spoofing attack is a particularly sophisticated targeted attack. We are not aware of this attack being used in the wild, though specifying a false positive-free way of noticing malicious key backups key is challenging. As an abundance of caution, to avoid malicious backup attacks, you should not verify your new logins using emoji/QR verifications methods until patched. Prefer verifying with your security passphrase instead. ### References Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).

Matrix Javascript SDK es el SDK cliente-servidor de Matrix para JavaScript. En versiones anteriores a 19.7.0, un atacante que coopere con un servidor doméstico malicioso puede construir mensajes que parezcan legítimamente proceder de otra persona, sin ninguna indicación como un escudo gris. Además, un atacante sofisticado que coopere con un servidor doméstico malicioso podría emplear esta vulnerabilidad para llevar a cabo un ataque dirigido con el fin de enviar mensajes falsos al dispositivo que parezcan proceder de otro usuario. Esto puede permitir, por ejemplo, inyectar el secreto de la copia de seguridad de la clave durante una autoverificación, para hacer que un dispositivo objetivo comience a usar una copia de seguridad de la clave maliciosa falsificada por el servidor doméstico. Estos ataques son posibles debido a una vulnerabilidad de confusión en el protocolo que acepta mensajes hacia el dispositivo cifrados con Megolm en lugar de Olm. A partir de la versión 19.7.0, matrix-js-sdk ha sido modificado para aceptar únicamente mensajes to-device cifrados con Olm. Por precaución, han sido auditadas o añadidas otras comprobaciones. Este ataque requiere la coordinación entre un servidor doméstico malicioso y un atacante, por lo que aquellos que confían en sus servidores domésticos no necesitan una mitigación