No release for CVE-2021-40823 and CVE-2021-40824 · Issue #723 · Nheko-Reborn/nheko
github.com
The Problem Hi! Per https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing , nheko <=0.8.2 is vulnerable to those vulnerabilities, and there isn't any new release that I cou...

TL;DR, 0.8.2 shouldn’t be trusted for secure communication anyway, which is why we have a few big warnings in various places.

Copying the security announcement I made in the Nheko room: Security vulnerability when resharing encryption keys Affected versions

Latest stable release in a very limited manner. No security patch will be provided, details below.
Current master branch and nightlies. If you update now, you should get a fix for it.

Details on the vulnerability

Devices in a room are identified by a device id. Nheko uses this id to keep track of which devices it should reshare keys to, if a device rerequests them. Because the device id is a user/server defined string, this is not enough to authenticate, that you are actually talking to the same device. For this reason Nheko keeps track of the curve25519 and ed25519 keys of each device in a room and disallows a different device to claim the same keys or the same device id.

This logic seems to work fine, although it could certainly be improved to protect against mistakes. But there was one flaw, Nheko removed this tracking information, if the server claimed that all relevant devices of the other user got removed (using the device_lists.left attribute). A malicious server could abuse that to first claim all devices got removed and then insert its own device with the same device id. As a result of this the server could access the keys for old messages using key sharing and read old encrypted messages, if Nheko has the keys to read them.

The security patch available in 1b82b82 ensures, that we never delete the mappings, which should prevent this and similar attacks. Why no stable patch

E2EE is still marked as alpha in our last release. Enabling it gives you a warning about that and our last release, 0.8.2, does not provide a way to not send messages to unverified devices and doesn’t even display there are devices like that in a room. Furthermore it also only reshares the last outbound session in each room. As such the keys reshared only apply to a limited set of messages.

We encourage everyone to not rely on the security of our E2EE implementation, until it is out of beta and we had time to audit it. There will be possible attacks against it before then. Our master branch should be fairly secure nowadays, but if you really can’t trust your server, we encourage you to use a different client in the mean time. You can find the current status of our E2EE implementation here: #23

Until then our README will still contain the following (which is a step down from the warning during the 0.8.2 release):

The implementation may also still have bugs, so don't rely on it for security.

How do I update

Use the usual channels, where you got the nightly from. People using the nightly repo for flatpaks sould be able to get the update using:

flatpak upgrade io.github.NhekoReborn.Nheko

Users of the Windows or macOS nightlies should be able to download the fixed versions from here: https://matrix-static.neko.dev/room/!TshDrgpBNBDmfDeEGN:neko.dev/

If you are using the nheko-git AUR package, just rebuild it.