Matrix-appservice-bridge is a popular library used to build bridges between various messaging protocols and the Matrix communications ecosystem. It provides an API for setting up bridges easily by connecting different messaging platforms. However, a recent vulnerability has been discovered affecting Matrix-appservice-bridge versions 4.. and earlier, prior to versions 8.1.2 and 9..1. This vulnerability allows a malicious actor to impersonate users when using the provisioning API, potentially giving unauthorized access to sensitive user information.

Vulnerability Details

A malicious Matrix server can exploit this vulnerability by using a foreign user's MXID (Matrix-ID) in an OpenID exchange. The library does not properly check that the servername part of the sub parameter (containing the user's *claimed* MXID) matches the servername being talked to. Consequently, an attacker could spin up a server on any given domain, respond with a sub parameter according to the user they want to act as, and use the resulting token to perform provisioning requests.

Here's a code snippet that illustrates the issue

// Vulnerable code in Matrix-appservice-bridge
...
if (response.sub !== userId) {
    throw new Error("OpenID token does not match userId: " + userId);
}
...

As shown in the snippet, Matrix-appservice-bridge checks if the response.sub matches the provided userId, but it does not check for the servername in the sub parameter. This oversight enables the attacker to impersonate any user from any domain.

Solutions

The developers of Matrix-appservice-bridge have released patches for this vulnerability in versions 8.1.2 and 9..1. Administrators are advised to update their Matrix-appservice-bridge to one of these fixed versions as soon as possible.

If updating is not possible, a temporary workaround for this vulnerability is disabling the provisioning API. This may restrict some functionality but will help protect against the exploitation of this vulnerability.

Conclusion

This vulnerability exposes a critical issue in Matrix-appservice-bridge, allowing unauthorized users to impersonate other users within the context of the provisioning API. To protect against this vulnerability, administrators should update their Matrix-appservice-bridge installations to versions 8.1.2 or 9..1, or disable the provisioning API if updating is not an option.

Original References

- Matrix-appservice-bridge v8.1.2 Release Notes
- Matrix-appservice-bridge v9..1 Release Notes
- CVE-2023-38691 Vulnerability Details

Timeline

Published on: 08/04/2023 17:15:00 UTC
Last modified on: 08/11/2023 19:34:00 UTC