CVE-2021-44538

EUVD-2021-31369

14.12.2021, 14:15

The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 80%

Affected Products (NVD)

Vendor	Product	Version
matrix	element	𝑥 < 1.9.7
matrix	element	𝑥 < 1.9.7
matrix	javascript_sdk	2.4.2 ≤ 𝑥 < 15.2.1
matrix	olm	3.1.4 ≤ 𝑥 < 3.2.8
schildi	schildichat	𝑥 < 1.9.7-sc1
schildi	schildichat	𝑥 < 1.9.7-sc1
cinny_project	cinny	𝑥 < 1.6.0
debian	debian_linux	9.0
debian	debian_linux	10.0
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

olm

bookworm	3.2.13~dfsg-1 fixed
bullseye	no-dsa
buster	not-affected
sid	3.2.16+dfsg-2 fixed
trixie	3.2.16+dfsg-2 fixed

thunderbird

bookworm	1:115.12.0-1~deb12u1 fixed
bookworm (security)	1:115.16.0esr-1~deb12u1 fixed
bullseye	1:115.12.0-1~deb11u1 no-dsa
bullseye (security)	1:128.4.0esr-1~deb11u1 fixed
buster	not-affected
sid	1:128.4.0esr-1 fixed
trixie	1:128.4.0esr-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-matrix-js-sdk

focal	needs-triage
hirsute	ignored
impish	ignored
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	ignored
xenial	ignored

olm

bionic	needs-triage
focal	needs-triage
hirsute	ignored
impish	ignored
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	ignored
xenial	ignored

thunderbird

bionic	Fixed 1:91.5.0+build1-0ubuntu0.18.04.1 released
focal	Fixed 1:91.5.0+build1-0ubuntu0.20.04.1 released
hirsute	ignored
impish	Fixed 1:91.5.0+build1-0ubuntu0.21.10.1 released
jammy	Fixed 1:91.5.0+build1-0ubuntu1 released
kinetic	Fixed 1:91.5.0+build1-0ubuntu1 released
lunar	Fixed 1:91.5.0+build1-0ubuntu1 released
mantic	Fixed 1:91.5.0+build1-0ubuntu1 released
noble	Fixed 1:91.5.0+build1-0ubuntu1 released
trusty	ignored
xenial	ignored

Common Weakness Enumeration

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

References

https://gitlab.matrix.org/matrix-org/olm/-/tags

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

https://www.debian.org/security/2022/dsa-5034

https://gitlab.matrix.org/matrix-org/olm/-/tags

https://lists.debian.org/debian-lts-announce/2022/01/msg00001.html

https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

https://www.debian.org/security/2022/dsa-5034