A critical vulnerability has been identified in the open-source Node.js IRC bridge for Matrix, matrix-appservice-irc. This vulnerability, designated as CVE-2022-39203, allows an attacker to exploit the bridge by specifying a specific string of characters, leading to a combination of an attacker-owned channel with an existing channel. As a result, the attacker may grant themselves permissions in the channel and gain unauthorized access.

Details of Vulnerability

Matrix-appservice-irc is commonly used to bridge communications between Matrix and IRC channels. This vulnerability arises when certain malformed strings are used by attackers to confuse the bridge, causing it to inadvertently link an existing, legitimate channel with the attacker’s rogue channel. Once combined, attackers can manipulate the channel’s permissions and grant themselves elevated access rights, enabling them to disrupt and potentially compromise the channel’s communications.

The matrix-appservice-irc development team has acknowledged the issue and has subsequently released a patch in version .35., addressing the vulnerability.

Exploit Details

The specific exploit mechanism has not been publicly disclosed to prevent attackers from taking advantage of the vulnerability. However, it is evident that the exploit relies on carefully crafted strings to trigger the bridge's misbehavior, causing a combination of channels.

You can find additional details about the vulnerability and patch in the original references linked below:
1. CVE-2022-39203 Official Record
2. Matrix-appservice-irc GitHub Repository

Workaround

For operators who are unable to immediately update their installations to matrix-appservice-irc .35., a temporary workaround can be employed to mitigate the vulnerability. By disabling dynamic channel joining via the dynamicChannels.enabled configuration, operators can prevent users from joining new channels, effectively blocking the creation of any new bridged channels outside of those already in existence or specified in the configuration file.

To implement this workaround, update the configuration file as follows

{
  "dynamicChannels": {
    "enabled": false
  }
}

After updating the configuration, restart the matrix-appservice-irc instance to apply the changes.

Conclusion

If you are an operator of a Matrix server utilizing matrix-appservice-irc, it is strongly recommended that you either update your installation to version .35. or implement the provided workaround to protect against this critical vulnerability. By doing so, you can ensure that your server remains secure, and your users' communications remain protected from malicious actors attempting to exploit CVE-2022-39203.

Timeline

Published on: 09/13/2022 19:15:00 UTC
Last modified on: 09/16/2022 02:38:00 UTC