Summary
Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.
Details
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
PoC
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
Impact
The vulnerability allows a threat actor to impersonate a target remote account and perform spoofed activities of any type attributed to the target account, provided that the threat actor has access to a valid Linked Data Signature by the target account.
There are a number of situations where the threat actor can obtain a valid signature by the target account, including:
- The target account sends a signed activity to another account and the recipient account's server forwards the activity to a server controlled by the threat actor according to the inbox forwarding mechanism of ActivityPub
- The target account has joined a relay to which a server controlled by the threat actor subscribes, and sends a signed activity to that relay
Patches
At 10.102.699-m544, we are implementing the compact of activities verified by LD Signature.
This is expected to mitigate vulnerabilities.
If LD Signature verification is unnecessary, we recommend disabling LD Signature verification using the ignoreApForwarded option below.
Workarounds
It seems that by setting the ignoreApForwarded option to true, it is possible to completely avoid the impact of vulnerabilities.
This option is available since 10.102.323-m544.
However, enabling this option will result in the inability to receive relayed or forwarded activities.
Timeline
| Date and time |
Event |
| 2022-02-03 |
The same kind of vulnerability in Mastodon was disclosed: CVE-2022-24307 |
References
Reporter's Patch for Misskey v13- and Advisory
(You can also find the latest timeline and information on other implementations here.)
https://gist.github.com/tesaguri/f3c73f81bc000f669fc8adfab316603b
tesaguri Reporter
Summary
Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.
Details
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
PoC
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
Impact
The vulnerability allows a threat actor to impersonate a target remote account and perform spoofed activities of any type attributed to the target account, provided that the threat actor has access to a valid Linked Data Signature by the target account.
There are a number of situations where the threat actor can obtain a valid signature by the target account, including:
Patches
At 10.102.699-m544, we are implementing the compact of activities verified by LD Signature.
This is expected to mitigate vulnerabilities.
If LD Signature verification is unnecessary, we recommend disabling LD Signature verification using the
ignoreApForwardedoption below.Workarounds
It seems that by setting the
ignoreApForwardedoption totrue, it is possible to completely avoid the impact of vulnerabilities.This option is available since 10.102.323-m544.
However, enabling this option will result in the inability to receive relayed or forwarded activities.
Timeline
References
Reporter's Patch for Misskey v13- and Advisory
(You can also find the latest timeline and information on other implementations here.)
https://gist.github.com/tesaguri/f3c73f81bc000f669fc8adfab316603b