CVE-2022-39255 in matrix-ios-sdk
Summary
by MITRE • 09/29/2022
Matrix iOS SDK allows developers to build iOS apps compatible with Matrix. Prior to version 0.23.19, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-ios-sdk version 0.23.19 has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround. To avoid malicious backup attacks, one should not verify one's new logins using emoji/QR verifications methods until patched.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/25/2022
The vulnerability identified as CVE-2022-39255 affects the Matrix iOS SDK version prior to 0.23.19, presenting a critical protocol confusion flaw that undermines the security of end-to-end encrypted communications within the Matrix messaging ecosystem. This vulnerability stems from an improper handling of to-device message encryption protocols, where the SDK incorrectly accepts messages encrypted with Megolm encryption instead of the proper Olm encryption method. The flaw creates a scenario where malicious actors can forge messages that appear legitimate while originating from trusted users, fundamentally compromising the integrity of the communication channel.
The technical implementation of this vulnerability operates through a protocol confusion attack pattern that aligns with CWE-444, specifically targeting the improper handling of protocol elements. When a malicious homeserver collaborates with an attacker, it can construct to-device messages that bypass normal encryption verification procedures. The SDK's failure to properly validate the encryption method allows these forged messages to be processed as legitimate communications, creating a false sense of security for users who believe they are receiving authentic messages from their contacts.
The operational impact of this vulnerability extends beyond simple message forgery to include sophisticated targeted attacks that can compromise user authentication and key management processes. Attackers can exploit this weakness to inject malicious key backup secrets during self-verification procedures, effectively compromising the user's cryptographic identity. The vulnerability enables an attacker to manipulate device behavior by making a targeted device believe it should use a malicious key backup that has been spoofed by the compromised homeserver, potentially leading to complete cryptographic compromise of user communications.
This attack vector represents a significant threat to the Matrix protocol's security model, as it undermines the fundamental principle of message authenticity and device verification. The vulnerability requires coordination between a malicious homeserver and an attacker, but once exploited, it can result in complete compromise of user identity verification processes and key backup mechanisms. The fix implemented in version 0.23.19 addresses this by strictly enforcing Olm-encrypted to-device message acceptance, while additional security checks were implemented as a precautionary measure.
The implications of this vulnerability extend to the broader Matrix ecosystem and highlight the importance of proper encryption protocol validation in mobile messaging applications. Users who trust their homeservers are not immediately vulnerable, but the attack requires a compromised server to be effective. The recommended mitigation includes avoiding emoji or QR verification methods until patched, which aligns with ATT&CK technique T1557 for credential access through protocol manipulation. Organizations and developers should prioritize updating to the patched version and implementing additional verification measures to prevent exploitation of this protocol confusion vulnerability that could lead to complete compromise of end-to-end encrypted communications.