Authors

@yunochi*, @perillamint*

Description

Misskey’s missing signature validation allows arbitrary users to impersonate any remote user.

Affected software/version

• Misskey version below 2023.11.1-beta.1
• Firefish version below 1.0.5-rc
• CherryPick version below 4.5.1

Severity

CVSS v4.0 score: 7.1 (High)

Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS v3.1 score: 9.3 (Critical)

Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Detailed information

When Misskey has to verify the remote actor is eligible to POST into the inbox, it only validates its HTTP message signature.

Due to lack of the header validation such as Digest and Host, it allows attackers can spoof arbitrary users using ActivityPub server-to-server federation protocol.

Proof-of-Concept code

Will be released after 2023-12-14

Possible mitigation

Proper mitigation

Update

• Misskey to 2023.11.1 or newer
• Firefish to 1.0.5-rc or newer
• Cherrypick to 4.5.1 or newer

If that is not a viable option,

For Misskey and CherryPick,

Apply the patch

Also, there is an amendment patch to address non-utf8 POST payloads. Apply this patch too.

For Firefish,

Apply the patch

Hint: appending .patch at the end of the GitHub commit lets you download the patch file. It can be applied using git am command.

Partial mitigation

Configure the reverse proxy to explicitly filter out the requests with a non-matching HOST header. Since most ActivityPub implementation which uses HTTP message signature to authenticate server-to-server federation includes HOST in their signature, it will provide a not-perfect-but-practical defense against this attack.

Also, use a firewall to block external requests bypassing the reverse proxy.

References

• GHSA-3f39-6537-3cgc
• CVE-2023-49079
• CWE-347

Disclosure timeline