matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library.…
GitHub_M·CWE-287·Published 2022-09-29
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.6 fixes this issue.
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.6 fixes this issue.
When the user receives a forwarded room key, the software accepts it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack.
### Impact When matrix-rust-sdk before 0.6 requests a room key from our devices, it correctly accepts key forwards only if they are a response to a previous request. However, it doesn't check that the device that responded matches the device the key was requested from. This allows a malicious homeserver to insert room keys of questionable validity into the key store in some situations, potentially assisting in an impersonation attack. Note that even if key injection succeeds in this way, all forwarded keys have the `imported` flag set, which is used as an indicator that such keys have lesser authentication properties (and should be marked as such in clients, e.g. with a grey shield besides the message). ### For more information If you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).
matrix-rust-sdk es una implementación de una biblioteca cliente-servidor de Matrix en Rust, y matrix-sdk-crypto es la biblioteca de cifrado de Matrix. En versiones anteriores a 0.6, cuando un usuario solicita una clave de habitación de sus dispositivos, el software recuerda correctamente la petición. Cuando el usuario recibe una clave de habitación reenviada, el software la acepta sin comprobar de quién procede la clave de habitación. Esto permite que los servidores domésticos intenten insertar llaves de habitación de dudosa validez, montando potencialmente un ataque de suplantación de identidad. La versión 0.6 corrige este problema
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 8.6 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Primary | cve.org | 8.6 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| 3.1 | Secondary | NVD | 8.6 | 3.9 | 4.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N |
| 3.1 | Secondary | GHSA | 6.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |