So, like...
OMEMO v0.3 has a pretty fucking obvious issue similar to what I found in Threema.
You're forced to use AES-GCM in a way that makes Invisible Salamanders a trivial exploit to pull off.
https://github.com/soatok/gcm-exploit
I'm not going to bother with an embargo for this. This specific protocol and design problem is not present in newer versions of their spec. Unfortunately, I can't find any implementations that use the updated spec!
Conversations is impacted.
Gajim is impacted.
Et cetera.
> Is this 0day?
Probably not to the spec authors, but to the implementation developers? Maybe.
This is why you don't roll your own crypto.
Also, Conversations uses Java's Base64 class to decode private keys, which is susceptible to cache-timing attacks: https://codeberg.org/iNPUTmice/Conversations/src/branch/master/src/main/java/eu/siacs/conversations/crypto/axolotl/XmppAxolotlMessage.java#L63
See this paper: https://arxiv.org/abs/2108.04600
That one is *definitely* a 0day.
#XMPP #OMEMO #infosec #crypto #0day #vulnerability
Soatok Dreamseeker /
npub1wf…vw2m9
2024-08-01 20:13:07
in reply to nevent1q…t3u0
Author Public Key
npub1wfp0azvqh9n27j7zgnej54cr9xjs5x2efztwzurjdpj34ea5vw9qdvw2m9Published at
2024-08-01 20:13:07Event JSON
{
"id": "4edf3cfccecb45aa0700e93a6a92384f43385dd7c53e312d0de7869aace2ff0b",
"pubkey": "7242fe8980b966af4bc244f32a570329a50a19594896e1707268651ae7b4638a",
"created_at": 1722543187,
"kind": 1,
"tags": [
[
"proxy",
"https://furry.engineer/@soatok/112888590345793780",
"web"
],
[
"e",
"7afb680f74232a56920c79d6d68ecd2402c64b66240c7bc02b44b79632eef36f",
"",
"root",
"7242fe8980b966af4bc244f32a570329a50a19594896e1707268651ae7b4638a"
],
[
"t",
"crypto"
],
[
"e",
"b54ebefddf87eeb2cf5755b7405eb2dadbd2e10c656e92ceca28419b69498285",
"",
"reply",
"7242fe8980b966af4bc244f32a570329a50a19594896e1707268651ae7b4638a"
],
[
"t",
"xmpp"
],
[
"t",
"infosec"
],
[
"t",
"omemo"
],
[
"t",
"vulnerability"
],
[
"p",
"7242fe8980b966af4bc244f32a570329a50a19594896e1707268651ae7b4638a"
],
[
"t",
"0day"
],
[
"proxy",
"https://furry.engineer/users/soatok/statuses/112888590345793780",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://furry.engineer/users/soatok/statuses/112888590345793780",
"pink.momostr"
],
[
"-"
]
],
"content": "So, like...\n\nOMEMO v0.3 has a pretty fucking obvious issue similar to what I found in Threema.\n\nYou're forced to use AES-GCM in a way that makes Invisible Salamanders a trivial exploit to pull off.\n\nhttps://github.com/soatok/gcm-exploit\n\nI'm not going to bother with an embargo for this. This specific protocol and design problem is not present in newer versions of their spec. Unfortunately, I can't find any implementations that use the updated spec!\n\nConversations is impacted.\nGajim is impacted.\nEt cetera.\n\n\u003e Is this 0day?\n\nProbably not to the spec authors, but to the implementation developers? Maybe.\n\nThis is why you don't roll your own crypto.\n\nAlso, Conversations uses Java's Base64 class to decode private keys, which is susceptible to cache-timing attacks: https://codeberg.org/iNPUTmice/Conversations/src/branch/master/src/main/java/eu/siacs/conversations/crypto/axolotl/XmppAxolotlMessage.java#L63\n\nSee this paper: https://arxiv.org/abs/2108.04600\n\nThat one is *definitely* a 0day.\n\n#XMPP #OMEMO #infosec #crypto #0day #vulnerability",
"sig": "f3d6662d38a694bdbd1eb7e5855ba05704dce8a578eab448ad7c5b821a038262fe303f1cd293a4c5dff54aa7e23ebafd73c178465c741aa802cab12c761899a5"
}