CVE-2024-37303 - Unauthenticated Remote Media Download Vulnerability in Synapse Matrix Homeserver

Synapse is an open-source Matrix homeserver that allows users to communicate securely and privately via the Matrix protocol. However, a recently discovered vulnerability (CVE-2024-37303) in Synapse versions prior to 1.106 can be exploited by unauthenticated remote users to trigger the download and caching of remote media, potentially planting problematic content on the local media repository.

This article provides an overview of the issue, code snippets demonstrating the exploit, original references, and details regarding the mitigation introduced in Synapse version 1.106.

Vulnerability Details (CVE-2024-37303)

By design, Synapse allows unauthenticated remote participants to trigger the download and caching of remote media files from another homeserver to the local media repository. These files become available for download from the local homeserver without authentication, making it possible for an unauthenticated remote adversary to plant problematic content on the media repository.

Exploiting the Vulnerability

The exploit involves sending a crafted request from a remote user to the local homeserver, triggering the download and caching of a specific remote media file. Here's an example of a cURL request demonstrating this exploit:

curl -X GET "https://local.matrix.server/_matrix/media/r/download/remote.matrix.server/<Media_ID>?allow_remote=true"; -o "downloaded_media.jpg"

Replace local.matrix.server with the target local homeserver, remote.matrix.server with a remote homeserver, and <Media_ID> with a specific media identifier that you want to cache on the target server. The allow_remote parameter is set to true to trigger a download from the remote server if the content is not already cached locally.

Original References

The vulnerability was reported on the Matrix.org GitHub repository and CVE-2024-37303 was assigned to track this issue. You can find more information on the following links:

- Vulnerability Report: matrix-org/synapse#11234
- Matrix.org blog post: Authenticating download of media content
- Synapse 1.106 Release Notes: tag/v1.106.

Mitigation in Synapse 1.106

Synapse version 1.106 introduces a partial mitigation for the vulnerability by adding new endpoints that require authentication for media downloads (see Matrix Spec Change MSC359). These new endpoints provide a way for administrators to configure their systems, so remote users must authenticate before accessing local media files.

In addition, the unauthenticated endpoints will be frozen in a future release, effectively closing the attack vector. It is recommended for administrators to upgrade to Synapse 1.106 or later to benefit from these changes.

For a detailed explanation of the mitigation and configuration changes, refer to the Matrix.org blog post.

Conclusion

The Synapse CVE-2024-37303 vulnerability allows unauthenticated remote users to plant problematic content on the local media repository. It is crucial to upgrade Synapse to version 1.106 or higher to apply the mitigation through authenticated media download endpoints. Administrators should stay aware of future Synapse releases and apply updates as needed to maintain security and mitigate potential threats.

Timeline

Published on: 12/03/2024 17:15:10 UTC