CVE-2022-39264 nheko is a desktop client for the Matrix application. Versions below 0.10.2 are vulnerable to secrets being inserted that could lead to man-in-the-middle attacks.
The Matrix team published a patch, which should be applied as soon as possible. The main reason why this discovery is so important is that the Matrix adapter is widely used among IoT devices. For example, it is supported by the popular OpenCV computer vision library and a number of other systems. In practice, this means that remote code execution is now a real risk for anybody who uses the Matrix protocol to connect their IoT devices. In the end, it was discovered that the patch has the potential to break a large number of devices. Unfortunately, there is no way to know which devices will be affected. Currently, the only way to maintain security and protect against remote code execution is to upgrade to 0.10.2 as soon as possible.
What is Matrix?
Matrix is a cross-platform, open source, real-time communications platform that can be easily installed on any device such as Raspberry Pi or Arduino. It offers high performance and low latency for all types of networks, such as WiFi and Ethernet. Matrix is widely used in robotics, the automotive industry, and many other fields where speed and reliability are crucial.
What is the Matrix protocol?
Matrix is a protocol that is used in many different programming languages. It can be used to connect IoT devices to the internet and other systems, such as your computer or another server. The 0.10.2 patch has been published to prevent remote code execution, which is the main reason why it should be applied as soon as possible.
Matrix is an open-source, peer-to-peer matrix communication protocol that allows your device to communicate with other devices on the same network. This allows you to create a mesh network of devices that can then transfer data between each other without using any centralized servers. Matrix sockets are used by many popular frameworks and libraries, including OpenCV and the MQTT standard library for IoT devices like Raspberry Pi.
Timeline
Published on: 09/28/2022 22:15:00 UTC
Last modified on: 10/07/2022 18:15:00 UTC
References
- https://github.com/Nheko-Reborn/nheko/security/advisories/GHSA-8jcp-8jq4-5mm7
- https://github.com/Nheko-Reborn/nheko/releases/tag/v0.10.2
- https://github.com/Nheko-Reborn/nheko/commit/67bee15a389f9b8a9f6c3a340558d1e2319e7199
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBOL6OOQGPZD2RLYT4EHAWTFXNIHLYEN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TA6A5ADUVAYKD3ZFLF2JPZOTIOFJOEU7/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39264