Mastodon fixes critical vulnerability
The maintainers of the open source software that powers the Mastodon social network have released a security update that patches a critical vulnerability that could have allowed hackers to backdoor servers that push content to individual users.
Mastodon operates on a federated model, consisting of numerous separate servers known as “instances.” With over 12,000 instances and 14.5 million users. Individual users create accounts on specific instances, enabling the exchange of content between users on different instances.
The vulnerability, tracked as CVE-2023-36460, was one of two critical vulnerabilities that were fixed in the update. The other critical vulnerability was tracked as CVE-2023-36459.
CVE-2023-36460, classified as an “arbitrary file creation through media attachments” flaw lets attackers exploit by using specially crafted media files, triggering Mastodon’s media processing code to create files at any location. As a result, attackers gain the ability to overwrite any file accessible to Mastodon, potentially leading to Denial of Service attacks and arbitrary Remote Code Execution.
Independent security researcher Kevin Beaumont dubbed this flaw #TootRoot, emphasizing the danger of hackers acquiring root access. Although no exploitation has yet been discovered, the patch was developed as a consequence of penetration testing supported by the Mozilla Foundation and carried out by Cure53. Mastodon’s internal team also helped to the development of the required improvements.
CVE-2023-36459 is an “XSS through oEmbed preview cards” flaw. This means that an attacker could create malicious oEmbed links that, when clicked, could inject malicious code into a user’s browser. This malicious code could then be used to steal the user’s personal information or to take control of their account.
The three other vulnerabilities that were fixed in the update were all rated as high or medium severity. They encompassed a “Blind LDAP injection in login” vulnerability that allows attackers to extract arbitrary attributes from the LDAP database, a “Denial of Service through slow HTTP responses,” and “Verified profile links” that can be formatted deceptively.
The sources for this piece include an article in ArsTechnica.