CVE-2023-32682: Deactivated User Login in Synapse Homeserver with Uncommon Configurations

Synapse, a Matrix protocol homeserver written in Python using the Twisted framework, has been discovered to have a security issue in certain versions which may allow deactivated users to log in under specific uncommon configurations. This vulnerability, tagged as CVE-2023-32682, affects Synapse installations where JSON Web Tokens are enabled, or where the local password database is enabled and a user's password is updated after they've been deactivated. The issue has been fixed in Synapse version 1.85., and users are advised to upgrade.

The Vulnerability

The vulnerability occurred because the code did not properly check the account status when a user authenticated via JSON Web Tokens (JWT) or updated their password after being deactivated. Under the specific configurations mentioned above, the login process did not take into account whether the user had been deactivated, allowing them to access the system.

Here is a small code snippet that demonstrates the issue

def _check_user_auth(self, user_id, password):
    user = self.get_user_by_id(user_id)
    if user is None:
        return False

    # This checks for a deactivated user but doesn't cover JWT auth or password update scenario
    if user.deactivated:
        return False

    # Rest of the code to authenticate user

Affected Configurations

This vulnerability only affects Synapse installations with one or more of the following configurations:

JSON Web Tokens are enabled for login via the jwt_config.enabled configuration setting.

2. The local password database is enabled via the password_config.enabled and password_config.localdb_enabled configuration settings *and* a user's password is updated via an admin API after a user is deactivated.

Note that installations which only allow login through Single Sign-On (SSO) via CAS, SAML, or OpenID Connect (OIDC), or via an external password provider (e.g. LDAP), are not affected.

Solution

In order to address this vulnerability, first upgrade your Synapse installation to version 1.85. or later, which contains the fix for this issue. The patch includes proper checks for user deactivation status during the login process. Here's the updated code snippet:

def _check_user_auth(self, user_id, password):
    user = self.get_user_by_id(user_id)
    if user is None:
        return False

    # Updated check for deactivated users covering JWT auth and password update scenario
    if user.deactivated or not self._is_user_password_correct(user, password):
        return False

    # Rest of the code to authenticate user

If you are not using JSON Web Tokens, you can also mitigate the vulnerability by ensuring that your deactivated users do not have a password set.

For more information about this vulnerability, please refer to the following sources

1. Synapse project GitHub: https://github.com/matrix-org/synapse
2. Synapse 1.85. release notes: https://github.com/matrix-org/synapse/releases/tag/v1.85.
3. CVE details and affected versions: https://nvd.nist.gov/vuln/detail/CVE-2023-32682

Conclusion

CVE-2023-32682 represents a significant, albeit uncommon, vulnerability in the Synapse Matrix homeserver. By updating your Synapse installation to version 1.85. or later and carefully considering your configuration settings, you can protect your system from unauthorized access by deactivated users.

Timeline

Published on: 06/06/2023 19:15:00 UTC
Last modified on: 06/17/2023 03:15:00 UTC