CVE-2022-36009 in gomatrixserverlib
Summary
by MITRE • 08/20/2022
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/20/2022
The vulnerability CVE-2022-36009 affects gomatrixserverlib, a critical Go library that implements the Matrix protocol federation layer, and specifically impacts Dendrite, a popular Matrix homeserver implementation. This issue stems from improper parsing of the m.room.power_levels event configuration, which governs user permissions and access control within Matrix chat rooms. The flaw manifests in the library's handling of the "events_default" key within power level configurations, causing the system to consistently default all event authorization levels to zero regardless of actual room configuration. This represents a significant deviation from the Matrix protocol specification where power levels define user permissions and determine whether users can send specific types of events in rooms. The vulnerability creates a critical inconsistency between expected and actual authorization behavior, potentially allowing unauthorized users to perform actions they should be barred from or preventing legitimate users from performing authorized actions.
The technical implementation flaw resides in the gomatrixserverlib parsing logic that fails to correctly interpret the "events_default" parameter within the m.room.power_levels event structure. This parameter should define the default power level required for sending events in a room, but due to the bug, the library ignores this configuration and always assumes a default power level of zero. The issue specifically affects Dendrite homeserver versions prior to 0.9.3, where the library's power level validation mechanism was incomplete. According to CWE-284 access control vulnerabilities, this represents a privilege escalation risk where the system fails to properly enforce authorization policies based on user permissions. The flaw creates a scenario where rooms with custom event default power levels are incorrectly processed, leading to either over-permissive or under-permissive access control behavior that violates fundamental security principles of the Matrix protocol.
Operationally, this vulnerability poses serious risks to room security and user experience within Matrix implementations. Rooms where administrators have modified the "events_default" power level from the default zero value become vulnerable to authorization inconsistencies that can either allow unauthorized users to send events they shouldn't be permitted to or reject legitimate messages from authorized users. This creates a potential attack vector where malicious actors could exploit the misconfiguration to disrupt room functionality or gain unauthorized access to sensitive communication channels. The impact extends beyond simple access control issues as it affects the core trust model of Matrix rooms, potentially compromising the integrity of room communications and user privacy. According to ATT&CK technique T1078 legitimate credentials, this vulnerability could enable adversaries to manipulate room access controls and potentially escalate privileges within the Matrix ecosystem, though the attack surface is limited to rooms with non-default event default power levels.
The fix implemented in gomatrixserverlib addresses the parsing logic by correctly handling the "events_default" key in power level events, ensuring that the actual configured default power level is respected rather than defaulting to zero. Dendrite version 0.9.3 incorporates this fix and properly validates power level configurations according to the Matrix specification. The vulnerability assessment reveals that only Matrix rooms with modified "events_default" power levels are affected, meaning that rooms maintaining the default configuration remain secure. Organizations running Dendrite servers should immediately upgrade to version 0.9.3 or later to remediate the issue, as there are no viable workarounds available for this specific parsing flaw. The security implications underscore the importance of proper authorization implementation in federated messaging systems and highlight the critical need for thorough testing of protocol compliance in open source libraries that form the foundation of secure communication platforms. This vulnerability demonstrates how subtle parsing errors in core protocol implementations can have significant security implications for distributed communication systems.