====================================================================== CERT-Renater Note d'Information No. 2024/VULN514 _____________________________________________________________________ DATE : 04/12/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Synapse versions prior to 23.2.1, 24.0.2, 25.0.1. ===================================================================== https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2 https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x _____________________________________________________________________ Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders High sandhose published GHSA-vp6v-whfm-rv3g Dec 3, 2024 Package matrix-synapse (pip) Affected versions < 1.120.1 Patched versions 1.120.1 Description Impact In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. For a list of image formats, as well as decoding libraries and helper programs used, see the Pillow documentation. Patches Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. Workarounds Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities. Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in. Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled. The official Docker container image does not include Ghostscript. References The Pillow documentation includes a list of supported image formats and which libraries or helper programs are used to decode them. For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity High CVE ID CVE-2024-53863 Weaknesses No CWEs _____________________________________________________________________ Malicious invites via federation can break a user's sync High sandhose published GHSA-f3r3-h2mq-hx2h Dec 3, 2024 Package matrix-synapse (pip) Affected versions < 1.120.1 Patched versions 1.120.1 Description Impact Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Patches Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. Workarounds Server administrators can disable federation from untrusted servers. For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity High 8.7/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Network Attack Complexity Low Attack Requirements None Privileges Required None User interaction None Vulnerable System Impact Metrics Confidentiality None Integrity None Availability High Subsequent System Impact Metrics Confidentiality None Integrity None Availability None CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE ID CVE-2024-52815 Weaknesses No CWEs _____________________________________________________________________ Unsupported content types can lead to memory exhaustion High sandhose published GHSA-rfq8-j7rh-8hf2 Dec 3, 2024 Package matrix-synapse (pip) Affected versions < 1.120.1 Patched versions 1.120.1 Description Impact In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Patches Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type. Workarounds Limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size in Synapse. References twisted/twisted#4688 (comment) twisted/twisted#4688 (comment) For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity High CVE ID CVE-2024-52805 Weaknesses CWE-770 _____________________________________________________________________ Partial room state leak via Sliding Sync Moderate sandhose published GHSA-56w4-5538-8v8h Dec 3, 2024 Package matrix-synapse (pip) Affected versions >= 1.113.0rc1, < 1.120.1 Patched versions 1.120.1 Description Impact The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. Patches Synapse version 1.120.1 fixes the problem. Workarounds Disable Sliding Sync. References matrix-org/matrix-spec-proposals#4186 synapse/synapse/config/experimental.py Lines 341 to 344 in d80cd57 # MSC3575 (Sliding Sync) alternate endpoints, c.f. MSC4186. # # This is enabled by default as a replacement for the sliding sync proxy. self.msc3575_enabled: bool = experimental.get("msc3575_enabled", True) For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity Moderate 4.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE ID CVE-2024-53867 Weaknesses CWE-497 _____________________________________________________________________ Unauthenticated writes to the media repository allow planting of problematic content Moderate sandhose published GHSA-gjgr-7834-rhxr Dec 3, 2024 Package matrix-synapse (pip) Affected versions < 1.106 Patched versions 1.106 Description Impact Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Patches Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. Workarounds Though extremely limited, server operators can use more strict rate limits based on IP address. References matrix-org/matrix-spec-proposals#3916 For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity Moderate 5.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE ID CVE-2024-37303 Weaknesses CWE-306 _____________________________________________________________________ Denial of service through media disk space consumption High sandhose published GHSA-4mhg-xv73-xq2x Dec 3, 2024 Package matrix-synapse (pip) Affected versions < 1.106 Patched versions 1.106 Description Impact Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Patches Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached. Workarounds Synapse deployments can currently decrease the maximum file size allowed, as well as increase request rate limits. However, this does not as effectively address the issue as a dedicated rate limit on remote media downloads. Server operators may also wish to consider putting media on a dedicated disk or volume, reducing the impact of a disk fill condition. References https://en.wikipedia.org/wiki/Leaky_bucket#As_a_meter For more information If you have any questions or comments about this advisory, please email us at security at element.io. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2024-37302 Weaknesses CWE-770 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================