BSI discovers serious vulnerabilities in Mastodon, some minor ones in Matrix

Together with the Munich-based company MGM Security Partners, the German Federal Office for Information Security (BSI) examined the source code of the messenger service Matrix and the social media application Mastodon. As part of the project to analyze the code of open source software (Caos 2.0), experts checked the services for possible flaws and found what they were looking for. According to the analyses carried out in fall 2023, Mastodon version 4.1.6 had two vulnerabilities classified as high-risk, which an attacker could use to compromise users and the application. The BSI immediately informed the relevant developers of these critical vulnerabilities. The programmers have analyzed the vulnerabilities and have already responded.

According to the findings report on the Twitter alternative Mastodon, the vulnerabilities in question are CVE-2023-46950 and CVE-2023-46951, both of which involve cross-site scripting vulnerabilities in Contribsys Sidekiq version 6.5.8 and the resulting possibility for an attacker to obtain confidential information remotely via a manipulated payload. The BSI identified "a high-risk potential" here.

The researchers found another gap in a bypassable throughput rate limitation (rate limiting). According to the study, this is exacerbated in its severity by the fact that the application allows the use of trivial passwords and the unlimited enumeration of valid usernames. A vulnerability number is still being applied for. Mastodon also uses 22 dependencies on other open-source code with known security vulnerabilities that are classified as critical or high. Other, significantly less security-critical anomalies include an overlong session validity, a limited ability to inject arbitrary CSS into the application that is restricted to the administrator, and unnecessary storage of sensitive data in a cache.

Poor protection of uploaded files at Matrix

In the case of the decentralized messenger server Matrix Synapse, the testers discovered "several security vulnerabilities classified as low" according to the second investigation. Among other things, they also found that the validity of a session was too long. Furthermore, uploaded files that were not end-to-end encrypted could be downloaded without authentication by anyone who knew the ID of the upload. Normally, privileged users were also allowed to terminate surveys created by other users. Last but not least, the researchers found a workaround for the vulnerability CVE-2023-32683.

In the Matrix access client Element, the experts discovered a vulnerability classified as low. This is a response header not set by the server in the standard configuration, which – could further increase the security of the application if used correctly – as a defense measure. In Germany, for example, Matrix forms the basis for the Bundeswehr's BwMessenger and a new BundesMessenger. The open-source protocol is also the basis for a communication platform in the healthcare sector. Synapse and Element also revealed several dependencies with known vulnerabilities.

Mature, untidy code base

At both Mastodon and Matrix, the auditors were unable to find any evidence of a structured, tool-supported procedure for the regular identification and correction of vulnerabilities. The relatively large amount of code duplication via copy-and-paste also indicated that some of the projects had "grown" in a chaotic and untidy manner. In both cases, the experts therefore recommend manual or automated structural improvement of source code (refactoring) to ensure general extensibility and, in particular, effective handling of vulnerabilities in the future.

The cooperation project has been running since 2021 with the aim of examining the security of popular open-source software and supporting the responsible teams in writing secure code. The focus of the investigations is "on applications that are increasingly used by public authorities or private users". The creators inform the developers in advance of any extensive vulnerabilities discovered in the responsible disclosure process. As part of the initiative, BSI and MGM have already examined the video conferencing tools Jitsi and BigBlueButton, for example. Further code analyses are planned as Caos 3.0.

(nie)