CVE-2023-36460: Mastodon Patches Critical RCE Security Vulnerability

In a critical security move, the maintainers of Mastodon, the open-source engine that powers the social networking platform of the same name, released a crucial update onThursday. This update aims to patch an alarming vulnerability that potentially exposed the servers that deliver content to individual users to hackers, giving them backdoor access.

For those unacquainted, Mastodon is a free and open-source social network built on ActivityPub, a decentralized protocol for social networking. It allows users to follow friends, discover new ones, and publish content freely – from links, pictures, text to videos. Being a federated network, it ensures seamless communication between users across different servers, even if they’re using non-Mastodon software implementing ActivityPub. At present, there are over 24,000 Mastodon instances and 14.5 million users, as per the-federation.info.

The update addressed not one but four distinct vulnerabilities. Let’s take a closer look at these vulnerabilities, their potential impacts, and the resolutions implemented.

1. Cross-Site Scripting (XSS) through oEmbed Preview Cards (CVE-2023-36459)

With a CVSS score of 9.3, this vulnerability allowed an attacker to circumvent the HTML sanitization process of Mastodon using crafty oEmbed data. This exploit introduced a vector for XSS payloads that could potentially be rendered in a user’s browser when they clicked through a malicious preview card. The vulnerability affected all versions >= 1.3 and was subsequently patched in versions 4.1.3, 4.0.5, and 3.5.9.

2. Arbitrary File Creation through Media Attachments (CVE-2023-36460)

With a towering CVSS score of 9.9, this vulnerability allowed attackers to create arbitrary files anywhere, using specially crafted media files that could trick Mastodon’s media processing code. The impact could be wide-ranging, from Denial of Service to arbitrary Remote Code Execution. Alarmingly, this could potentially bring the entire infrastructure to a halt, with hijacked instances sending false alerts to users, or coercing them to download malicious apps. Fortunately, there’s no evidence that the CVE-2023-36460 bug has ever been exploited. It affected all versions >= 3.5.0 and was patched in versions 4.1.3, 4.0.5, and 3.5.9.

3. Denial of Service through Slow HTTP Responses (CVE-2023-36461)

With a CVSS score of 7.5, this vulnerability could cause server unresponsiveness through slowloris-type attacks during outgoing HTTP queries, keeping all Mastodon workers busy for an extended period. It affected all Mastodon versions but has now been patched in versions 4.1.3, 4.0.5, and 3.5.9.

4. Misleading Profile Links (CVE-2023-36462)

With a CVSS score of 5.4, an attacker could exploit this vulnerability by formatting a verified profile link in a way that concealed parts of the link, thus making it appear to link to a different URL. Although visually deceptive, the actual link could be revealed upon clicking. However, it still posed a phishing risk, similar to IDN homograph attacks. This bug affected all versions >= 2.6.0 and has been addressed in versions 4.1.3, 4.0.5, and 3.5.9.

The update serves as a timely reminder of the ever-present risks and vulnerabilities that lurk beneath even the most secure-looking platforms. As cyber threats continue to evolve, the need for continuous vigilance and regular updates remain paramount in ensuring user safety and maintaining trust in these platforms.