SimpleXMQ before 3.4.0, as used in SimpleX Chat before 4.2, does not apply a key derivation function to intended data, which can interfere with forward secrecy and can have other impacts if there is a compromise of a single private key. This occurs in the X3DH key exchange for the double ratchet protocol.
References
Link | Resource |
---|---|
https://simplex.chat/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html | Release Notes Vendor Advisory |
https://github.com/simplex-chat/simplexmq/pull/548 | Patch Third Party Advisory |
https://github.com/trailofbits/publications/blob/master/reviews/SimpleXChat.pdf | Exploit Technical Description Third Party Advisory |
https://github.com/simplex-chat/simplexmq/compare/v3.3.0...v3.4.0 | Release Notes Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2022-11-12 11:15
Updated : 2022-11-17 09:06
NVD link : CVE-2022-45195
Mitre link : CVE-2022-45195
JSON object : View
CWE
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
Products Affected
simplex
- simplex_chat
- simplexmq