Matrix recently patched five vulnerabilities in its end-to-end encryption — two of them critical — that have the ability to break the confidentiality and authentication of messages.
If not patched, these vulnerabilities would let a malicious server read user messages and impersonate devices.
Matrix manages some 100,000 servers worldwide. Its technology delivers a federated communication protocol that lets clients with accounts on Matrix servers exchange messages. Matrix provides simple HTTP APIs and SDKs that help developers create chatrooms, direct chats and chat bots, complete with end-to-end encryption, file transfer, synchronized conversation history, formatted messages, and read receipts.
The vulnerabilities were discovered by security researchers at Royal Holloway University London, University of Sheffield, and Brave Software and then published in an 18-page academic paper. According to a blog posted by Matrix, the two critical vulnerabilities include the following:
- CVE-2022-39250: A bug existed in matrix-js-sdk where it confused device IDs and cross-signing keys. A malicious server admin could exploit that to break emoji-based verification when cross-signing is used, authenticating themselves rather than the target user being verified.
- CVE-2022-39251: In this one, matrix-js-sdk suffered from a protocol-confusion bug where it would incorrectly accept "to-device" messages encrypted by Megolm (used to encrypt group messages rather than Olm (encrypted from the same sequence), attributing them to the Megolm sender rather than the actual sender. This would let an attacker fake the trusted sender of "to-device" messages, allowing them to send fake "to-device" messages to devices; e.g.: use fake keys to spoof historical messages from other users.
Eric Cole, advisory board member at Theon Technology, said this teaches us two important lessons. First, encryption software must have more rigorous testing than other software. Second, unpatched systems are still one of the top methods attackers use to compromise servers even with encryption software, so it’s important to patch, patch, patch.
“While it appears that this has been caught before it has been used in the wild, it is important to remember that we just do not know,” Cole said. “Attackers are clever, attackers can hide their tracks and attackers can use delay methods to make it harder to detect. It appears this was caught early enough, but proper investigations of potential infected users should still be performed.”