Synapse, an implementation of the Matrix protocol homeserver, is written in Python and utilizes the powerful Twisted framework. Recently, a vulnerability has been discovered, which allows an oEmbed or image URL to bypass the url_preview_url_blacklist setting. This could potentially lead to server-side request forgery (SSRF) or bypassing network policies.
The impact of this vulnerability is limited by the IP addresses allowed by the url_preview_ip_range_blacklist setting (by default, this only allows public IPs) and the limited information returned to the client. For oEmbed URLs, any non-JSON response or a JSON response containing non-oEmbed information is discarded. Similarly, for image URLs, any non-image response is disregarded. Systems with URL preview disabled (via the url_preview_enabled setting) or without a configured url_preview_url_blacklist are not affected.
This issue is addressed in Synapse version 1.85., and users are advised to upgrade. For users unable to upgrade, disabling URL previews is a viable alternative.
Exploit Details
The vulnerability stems from the fact that the url_preview_url_blacklist setting can be circumvented by exploited URLs. For example, consider the following code snippet:
malicious_url = "https://attacker-server.com/exploit";
url_preview_url_blacklist = ["*attacker-server.com*"]
url_preview_ip_range_blacklist = [".../"]
In this scenario, the malicious_url should be blocked by the url_preview_url_blacklist setting, but it can be bypassed due to the vulnerability.
When an oEmbed or image URL is discovered, the code responsible for determining whether the URL should be blocked does not properly evaluate the blacklist rules. The result is that the URL can bypass the blacklist setting, potentially allowing server-side request forgery or bypassing network policies.
Solution
The vulnerability is addressed in Synapse version 1.85.. Users should upgrade to this version as soon as possible to protect their systems from potential attacks exploiting this vulnerability. The upgrade process can be found in the [Synapse documentation][3].
For users who are unable to upgrade, another option is to disable URL previews. To do this, simply edit the homeserver.yaml configuration file and set the url_preview_enabled setting to false. After making this change, restart the Synapse homeserver to apply the updated settings.
Conclusion
In conclusion, the CVE-2023-32683 vulnerability in the Synapse homeserver can potentially expose systems to server-side request forgeries or bypass network policies. It is crucial to upgrade to version 1.85. or disable URL previews if you are unable to upgrade. By staying vigilant and up-to-date with the latest security updates, users can help protect their systems from potential threats.
[1]: https://github.com/matrix-org/synapse
[2]: https://matrix.org/docs/spec/
[3]: https://matrix-org.github.io/synapse/latest/setup/upgrading/
Timeline
Published on: 06/06/2023 19:15:00 UTC
Last modified on: 06/17/2023 03:15:00 UTC