Latest News
### Impact Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's `/sync` functionality. ### Patches Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. ### Workarounds Server administrators can disable federation from untrusted servers. ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).
Consumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.
### Impact In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. ### Patches Synapse 1.120.1 resolves the issue by denying requests with unsupported `multipart/form-data` content type. ### Workarounds Limiting request sizes or blocking the `multipart/form-data` content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low `max_upload_size` in Synapse. ### References - https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518 - https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).
### Impact Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. ### Patches Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. ### Workarounds Though extremely limited, server operators can use more strict rate limits based on IP address. ### References * https://github.com/matrix-org/matrix-spec-proposals/pull/3916 ### For more information If you have any questions or comments about this advisory, please email us at [security at elem...
### Impact Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. ### Patches Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached. ### Workarounds Synapse deployments can currently decrease the maximum file size allowed, as well as increase request rate limits. However, this does not as effectively address the issue as a dedicated rate limit on remote media downloads. Server operators may also wish...
Too much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.
About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability. On November 19, Qualys released a security bulletin about five privilege escalation vulnerabilities in the needrestart utility (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) used in Ubuntu Server, starting with version 21.04. The needrestart utility runs automatically after APT operations (installing, updating, or removing packages). It checks if […]
A massive data leak linked to the MOVEit vulnerability has exposed millions of employee records from major companies. Learn about the impact of this leak, the role of the "data vigilante" Nam3L3ss.
About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability. A directory traversal vulnerability in the web management interface of Zyxel firewall could allow an attacker to download or upload files via a crafted URL. The vulnerability affects Zyxel ZLD firmware versions from 5.00 to 5.38, used in the ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN […]
A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.