CVE-2022-45195 The key derivation function in SimpleXMQ before 3.4.0 is not applied to data, which can impact forward secrecy and if there is a compromise of a single private key.
This issue affects all users of SimpleXMQ with any version after 2.0.7, as well as all SimpleX Chat installations with any version after 4.2.0. We have released 3.4.1, which you can download from our downloads page.
As a precaution, we recommend that you upgrade to 3.4.1. It is critical that you upgrade as soon as possible, as other versions will not have fixed this issue.
Find out more about SimpleXMQ 3.4.1
Find out more about SimpleXMQ 3.4.1 at our support website: https://support.simple.com/hc/en-us/articles/3600003550434-SimpleXMQ-3-4-1
Description of the issue
The vulnerability found by Qualys allows an attacker to gain root access to the running system with a specially crafted packet.
This issue affects all SimpleXMQ users, so we strongly advise that you upgrade to 3.4.1.
What is the SimpleXMQ vulnerability?
A vulnerability in SimpleXMQ, a popular commercial messaging software framework, allows an unauthenticated user to send messages on behalf of the victim. The exploit requires no special access beyond being able to connect to the SimpleXMQ server as a client.
How to upgrade to 3.4.1
The upgrade process is easy. Simply open a Terminal window and run the following commands:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
This will update your database and upgrade all SimpleXMQ packages.
Timeline
Published on: 11/12/2022 19:15:00 UTC
Last modified on: 11/17/2022 17:06:00 UTC
References
- https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html
- https://github.com/simplex-chat/simplexmq/pull/548
- https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf
- https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45195