CVE-2024-6303
📋 TL;DR
This vulnerability in Conduit's Client-Server API allows unauthorized users to manipulate room aliases, including moving the #admins alias to a controlled room. This enables privilege escalation to perform administrative actions like password resets, server key signing, and user deactivation. All Conduit servers running version 0.7.0 or earlier are affected.
💻 Affected Systems
- Conduit
📦 What is this software?
Conduit by Conduit
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise where attackers gain administrative privileges, reset passwords, sign arbitrary JSON with server keys, deactivate users, and potentially take full control of the Matrix server instance.
Likely Case
Attackers gain administrative access to manipulate server configuration, reset user passwords, and disrupt normal operations by deactivating legitimate users.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized API access, though the vulnerability still exists in the software.
🎯 Exploit Status
Exploitation requires API access but no authentication for the specific vulnerable endpoint. The attack vector is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.0
Vendor Advisory: https://conduit.rs/changelog/#v0-8-0-2024-06-12
Restart Required: Yes
Instructions:
1. Backup your Conduit configuration and data. 2. Stop the Conduit service. 3. Update to version 0.8.0 using your package manager or by downloading from https://gitlab.com/famedly/conduit/-/releases/v0.8.0. 4. Restart the Conduit service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to Conduit's Client-Server API endpoints to authorized users only using firewall rules or network segmentation.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Conduit API endpoints
- Monitor logs for unauthorized alias manipulation attempts and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check Conduit version by examining the service output or configuration files. If version is 0.7.0 or earlier, the system is vulnerable.Check Version:
Check Conduit logs or use 'conduit --version' if available, or examine package manager version information.Verify Fix Applied:
After updating, verify the version shows 0.8.0 or later and test that unauthorized users cannot manipulate room aliases.📡 Detection & Monitoring
Log Indicators:
- Unauthorized alias manipulation attempts
- Unexpected #admins alias movement
- Failed authorization attempts on room alias endpoints
Network Indicators:
- Unusual API calls to room alias endpoints from unauthorized sources
SIEM Query:
source="conduit" AND (event="alias_removed" OR event="alias_added") AND user NOT IN authorized_users