CVE-2021-44538

14.12.2021, 14:15

The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 79%

Vendor	Product	Version
matrix	element	𝑥 < 1.9.7
matrix	element	𝑥 < 1.9.7
matrix	javascript_sdk	2.4.2 ≤ 𝑥 < 15.2.1
matrix	olm	3.1.4 ≤ 𝑥 < 3.2.8
schildi	schildichat	𝑥 < 1.9.7-sc1
schildi	schildichat	𝑥 < 1.9.7-sc1
cinny_project	cinny	𝑥 < 1.6.0
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

olm

bullseye	no-dsa
buster	not-affected
bookworm	3.2.13~dfsg-1 fixed
sid	3.2.16+dfsg-2 fixed
trixie	3.2.16+dfsg-2 fixed

thunderbird

bullseye	1:115.12.0-1~deb11u1 no-dsa
buster	not-affected
bullseye (security)	1:128.4.0esr-1~deb11u1 fixed
bookworm	1:115.12.0-1~deb12u1 fixed
bookworm (security)	1:115.16.0esr-1~deb12u1 fixed
sid	1:128.4.0esr-1 fixed
trixie	1:128.4.0esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
impish	ignored
hirsute	ignored
focal	needs-triage
xenial	ignored
trusty	ignored

olm

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
impish	ignored
hirsute	ignored
focal	needs-triage
bionic	needs-triage
xenial	ignored
trusty	ignored

thunderbird

noble	Fixed 1:91.5.0+build1-0ubuntu1 released
mantic	Fixed 1:91.5.0+build1-0ubuntu1 released
lunar	Fixed 1:91.5.0+build1-0ubuntu1 released
kinetic	Fixed 1:91.5.0+build1-0ubuntu1 released
jammy	Fixed 1:91.5.0+build1-0ubuntu1 released
impish	Fixed 1:91.5.0+build1-0ubuntu0.21.10.1 released
hirsute	ignored
focal	Fixed 1:91.5.0+build1-0ubuntu0.20.04.1 released
bionic	Fixed 1:91.5.0+build1-0ubuntu0.18.04.1 released
xenial	ignored
trusty	ignored

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://gitlab.matrix.org/matrix-org/olm/-/tags

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

https://www.debian.org/security/2022/dsa-5034

https://gitlab.matrix.org/matrix-org/olm/-/tags

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

https://www.debian.org/security/2022/dsa-5034