Matrix Releases Updates to Patch Critical End-to-end Encryption Vulnerabilities

Decentralized communication platform Matrix issued a warning about end-to-end encryption vulnerabilities in some of its software development kits (SDKs).

Matrix is a decentralized, interoperable open standard for real-time IP-based communication. The flawed SDKs affect several clients based on matrix-js-sdk, matrix-ios-sdk, or matrix-android-sdk2, including Beeper, Element, SchildChat, Cinny, Synod.im and Circuli.

“If you're using Element or an application that shares the same SDKs (Beeper, Cinny, SchildiChat, Circuli, Synod.im) then please upgrade now,” reads Matrix’s security advisory. “Do not perform verification with new devices until you have upgraded.”

Two of the flaws were flagged as high severity due to the viciousness of the attack scenarios they could allow:

• “Key/Device Identifier Confusion in SAS Verification”(CVE-2022-39250) – matrix-js-sdk vulnerability, leads to mix-ups between cross-signing keys and device IDs
• “Trusted Impersonation” CVE-2022-39251(matrix-js-sdk), CVE-2022-39255 (matrix-ios-sdk) and CVE-2022-39248(matrix-android-sdk2)–protocol confusion bug that could trigger the service to accept rogue to-device messages

Matrix’s advisory also covered lower-severity issues that would allow easily avoidable or purely hypothetical attacks. Combined, the flaws could let threat actors running malicious servers unleash a flurry of attacks against their users, including:

• Breaking emoji-based verification to hijack authentication attempts
• Impersonating trusted senders of to-device messages
• Exfiltrating message keys by adding malicious key backups to the user account
• Faking encrypted messages to make them appear as if they were sent from a specific user
• Extracting encryption private keys by observing encryption and decryption operation results
• Linking malicious devices to user accounts or inviting malicious users into conversations

Despite the severity of the scenarios, Matrix claims the vulnerabilities should be no cause for concern, as there’s no sign of them being exploited in attacks in the wild. However, the company still urges users to apply the latest update immediately to avoid security risks.

“These have now been fixed, and we have not seen evidence of them being exploited in the wild,” according to Matrix’s security advisory. “All of the critical vulnerabilities require cooperation from a malicious home server to be exploited. Please upgrade immediately in order to be protected against these vulnerabilities.”