CVE-2022-41952 - Vulnerability in Synapse URL preview functionality causing excessive traffic and connections

The Synapse server software (used by the decentralized communication protocol Matrix) has a newly discovered vulnerability in its URL preview functionality, CVE-2022-41952. Synapse versions up to 1.52. may cause excessive traffic and connections when trying to generate previews for media streams, such as Icecast servers, especially if posted in a crowded room with many Synapse instances. This issue has been resolved in versions 1.52. and 1.53., but users of older versions should either update or disable URL preview functionality to prevent the issue.

Background

Synapse is the reference implementation of Matrix server software and the most widely-used server for Matrix networks. It is built using the speed and flexibility of Python and the Twisted networking framework, allowing Matrix network operators to provide secure, decentralized communication services to their users.

Vulnerability Details

The vulnerability, assigned CVE-2022-41952, affects Synapse instances running versions prior to 1.52. with the URL preview functionality enabled. In these versions, Synapse will try to generate URL previews for media stream URLs without properly limiting the connection time. Consequently, connections will only be terminated after max_spider_size (by default: 10M) bytes have been downloaded. This can generate long-lived connections toward streaming media servers, like an Icecast server, in cases where their stream URL is posted in large rooms with several instances of Synapse.

When URL previews for media streams are enabled, the excessive connections could lead to resource exhaustion on the streaming server and potentially disrupt the normal functioning of Synapse instances.

Exploit

There is no reported exploit for this vulnerability, and no known attacks or incidents have occurred using the vulnerability.

Solution

Updating Synapse to version 1.52. or later will implement a connection timeout mechanism, terminating URL previews after 30 seconds. Additionally, updating to version 1.53. will add an allowlist for certain content types, eliminating the possibility of generating URL previews for unsupported media streams.

Original References

- Synapse Release Notes
- Matrix Team Blog Post about Synapse 1.52.
- CVE-2022-41952 on MITRE CVE List

Workaround

If updating is not feasible, users can temporarily resolve the issue by disabling the URL preview feature by editing the Synapse configuration file. Add or modify the following line in the configuration file:

url_preview_enabled: false

This will turn off the URL preview functionality, effectively mitigating the vulnerability until a proper upgrade can be performed.

Conclusion

Synapse users should take action to either update their server software or disable the URL preview functionality to avoid the possibility of excessive connections and traffic issues associated with CVE-2022-41952. By doing so, they can help maintain the stability and security of both their servers and the broader Matrix network.

Timeline

Published on: 11/22/2022 16:15:00 UTC
Last modified on: 07/06/2023 13:37:00 UTC