Recently the news was released that vulnerabilities were identified (CVE-2021-40823, CVE-2021-40824) in most client applications for the decentralized communications platform Matrix, which allow obtaining information about the keys used to transfer messages in encrypted end-to-end chats (E2EE).
An attacker who has compromised one of the users from the chat can decrypt previously sent messages to this user from vulnerable client applications. Successful operation requires access to the message recipient's account and access can be obtained both through a leak of account parameters and by hacking the Matrix server through which the user connects.
It is mentioned that the vulnerabilities are most dangerous for users of encrypted chat rooms to which attackers-controlled Matrix servers are connected. Administrators of such servers can attempt to impersonate users of the server to intercept messages sent to chat from vulnerable client applications.
Vulnerabilities are caused by logical errors in the implementations of the mechanism to grant re-access to keys proposals in the different clients detected. Implementations based on the matrix-ios-sdk, matrix-nio, and libolm libraries are not vulnerable to vulnerabilities.
In consecuense, vulnerabilities appear in all applications that borrowed the problematic code y they do not directly affect the Matrix and Olm / Megolm protocols.
Specifically, the issue affects the core Element Matrix (formerly Riot) client for the web, desktop, and Android, as well as third-party client applications and libraries, such as FluffyChat, Nheko, Cinny, and SchildiChat. The problem does not appear in the official iOS client, nor in the Chatty, Hydrogen, mautrix, purple-matrix and Siphon applications.
The patched versions of the affected clients are now available; so it is requested that it be updated as soon as possible and we apologize for the inconvenience. If you can't upgrade, consider keeping vulnerable clients offline until you can. If vulnerable clients are offline, they cannot be tricked into revealing the keys. They may be safely back online once they are updated.
Unfortunately, it is difficult or impossible to retroactively identify instances of this attack with standard log levels present on both clients and servers. However, since the attack requires compromising the account, home server administrators may wish to review their authentication logs for any signs of inappropriate access.
The key exchange mechanism, in the implementation of which the vulnerabilities were found, allows a client who does not have the keys to decrypt a message to request keys from the sender's device or other devices.
For example, this capability is necessary to ensure the decryption of old messages on the user's new device or in the event that the user loses existing keys. The protocol specification prescribes by default not to respond to key requests and to automatically send them only to verified devices of the same user. Unfortunately, in practical implementations, this requirement was not met and requests to send keys were processed without proper device identification.
The vulnerabilities were identified during a security audit of the Element client. The fixes are now available to all troubled customers. Users are advised to urgently install updates and disconnect clients before installing the update.
There was no evidence of exploiting the vulnerability prior to the release of the review. It is impossible to determine the fact of an attack using standard client and server logs, but since the attack requires compromising the account, administrators can analyze the presence of suspicious logins using the authentication logs on their servers, and the Users can evaluate the list of devices linked to their account for recent reconnections and trust status changes.
Source: https://matrix.org