Skip to content

Impersonation and takeover of remote accounts with unnormalized signed activities

High
mei23 published GHSA-f7g9-xhcq-5ww6 Apr 29, 2024

Package

Meisskey

Affected versions

10.102.215-m544 - 10.102.698-m544

Patched versions

10.102.699-m544

Description

Summary

Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.

Details

The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.

PoC

The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.

Impact

The vulnerability allows a threat actor to impersonate a target remote account and perform spoofed activities of any type attributed to the target account, provided that the threat actor has access to a valid Linked Data Signature by the target account.

There are a number of situations where the threat actor can obtain a valid signature by the target account, including:

  • The target account sends a signed activity to another account and the recipient account's server forwards the activity to a server controlled by the threat actor according to the inbox forwarding mechanism of ActivityPub
  • The target account has joined a relay to which a server controlled by the threat actor subscribes, and sends a signed activity to that relay

Patches

At 10.102.699-m544, we are implementing the compact of activities verified by LD Signature.
This is expected to mitigate vulnerabilities.

If LD Signature verification is unnecessary, we recommend disabling LD Signature verification using the ignoreApForwarded option below.

Workarounds

It seems that by setting the ignoreApForwarded option to true, it is possible to completely avoid the impact of vulnerabilities.
This option is available since 10.102.323-m544.
However, enabling this option will result in the inability to receive relayed or forwarded activities.

Timeline

Date and time Event
2022-02-03 The same kind of vulnerability in Mastodon was disclosed: CVE-2022-24307

References

Reporter's Patch for Misskey v13- and Advisory
(You can also find the latest timeline and information on other implementations here.)
https://gist.github.com/tesaguri/f3c73f81bc000f669fc8adfab316603b

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CVE ID

No known CVE

Weaknesses

No CWEs

Credits