GitHub Advisory DatabaseGHSA-F3WC-3VXV-XMVRSynapse Outgoing federation to specific hosts can be disabled by sending malicious invites
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
24.3%
Impact
A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y.
Synapse instances with federation disabled are not affected.
Details
The Matrix protocol allows homeservers to provide an invite_room_state field on a room invite containing a summary of room state. In versions of Synapse up to and including v1.73.0, Synapse did not limit the size of invite_room_state, meaning that it was possible to create an arbitrarily large invite event.
An attacker with an account on a vulnerable Synapse homeserver X could exploit this by having X create an over-sized invite event in a room with a user from another homeserver Y. Once acknowledged by the invitee’s homeserver, the invite event would be sent in a batch of events to Y. If the malicious invite is so large that the entire batch is rejected as too large, X’s outgoing traffic to Y would become “stuck”, meaning that messages and state events created by X would remain unseen by Y.
Patches
Synapse 1.74 refuses to create oversized invite_room_state fields. Server operators should upgrade to Synapse 1.74 or newer urgently.
Workarounds
There are no robust workarounds.
This attack needs an account on Synapse homeserver X to deny federation from X to another homeserver Y. As a partial mitigation, Synapse operators can disable open registration to limit the ability of attackers to create new accounts on homeserver X.
If homeserver X has been attacked in this way, restarting it will resume outgoing federation by entering “catchup mode”. For catchup mode to ignore the oversized invites, every attacked room must have a correctly-sized event sent by X which is newer than any oversized invite. This is difficult to arrange, and does not prevent the attacker from repeating their attack.
References
- https://github.com/matrix-org/synapse/issues/14492 was caused by this issue.
- https://github.com/matrix-org/synapse/issues/14642 includes the patch described above.
For more information
If you have any questions or comments about this advisory, e-mail us at [email protected].
| CPE | Name | Operator | Version |
|---|---|---|---|
| matrix-synapse | lt | 1.74.0 |
References
github.com/advisories/GHSA-f3wc-3vxv-xmvr
github.com/matrix-org/synapse/issues/14492
github.com/matrix-org/synapse/pull/14642
github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/
nvd.nist.gov/vuln/detail/CVE-2023-32323
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
24.3%