Previously received keys were accepted without any checks or validation. It is therefore possible for an attacker to send an unsolicited message to a user, or even to forge a message and forward it to unsuspecting users. This issue has been fixed in matrix-ios-sdk version 0.23.19. IMPORTANT NOTE: This issue does not affect clients that do not support server-side message signing.
CVE-2023-39258
There is no validation on the protocol handler, which has been fixed in matrix-ios-sdk version 0.23.19.
The matrix-ios-sdk versions 0.23.19 and above contain a fix for this issue, which impacts clients that don't support server-side message signing (such as iOS 9).
Key Escrow
Key escrow entails storing cryptographic keys on a third-party server to prevent their misuse. This is done in order to provide strong authentication for systems that require it, such as online banking or internet services.
The issue with the previous version of matrix-ios-sdk was that key escrow could have been enabled without any checks and validation, which would make it possible for an attacker to send unsolicited messages to unsuspecting users. This issue has been fixed in the latest version of matrix-ios-sdk 0.23.19
Timeline
Published on: 09/28/2022 21:15:00 UTC
Last modified on: 09/30/2022 16:10:00 UTC
References
- https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
- https://github.com/matrix-org/matrix-ios-sdk/security/advisories/GHSA-qxr3-5jmq-xcf4
- https://github.com/matrix-org/matrix-ios-sdk/releases/tag/v0.23.19
- https://github.com/matrix-org/matrix-ios-sdk/commit/5ca86c328a5faaab429c240551cb9ca8f0f6262c
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39257