CVE-2022-32550: 
NixOS vulnerability analysis and mitigation

An issue was discovered in AgileBits 1Password, identified as CVE-2022-32550, involving the method various 1Password apps and integrations used to create connections to the 1Password service. The vulnerability was discovered by Cure53, a penetration testing company contracted by 1Password, and was disclosed on June 3, 2022. The issue affected multiple versions of 1Password across different platforms including Mac, Windows, Linux, Android, iOS, browser extensions, CLI, SCIM Bridge, and Connect Server (Vendor Advisory).

The vulnerability stems from an implementation choice in 1Password's version of Secure Remote Password (SRP) protocol, which deviated from the standard implementation. This deviation weakened a crucial security layer in network connection establishment. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

In specific circumstances, this vulnerability allowed a malicious server to convince a 1Password app or integration that it was communicating with the legitimate 1Password service. An attacker could potentially inspect the contents of encrypted requests sent to the server, including email addresses of family or team members, billing information, and various account settings. However, the attacker cannot access secrets saved in 1Password or manipulate encrypted request contents, as these are protected by additional encryption mechanisms (Vendor Advisory).

1Password has released patches for all affected versions. Users are advised to update to versions newer than: 1Password for Mac 7.9.5/8.7.1, Windows 7.9.829/8.7.1, Linux 8.7.1, Android 7.9.3/8.8.0-104, iOS 7.9.6/8.8.0-94, Browser extension 2.3.4, CLI 1.12.5/2.3.0, SCIM Bridge 2.3.2, and Connect Server 1.5.3. The company has also stated their intention to remove the historical implementation quirk and move to a different password-based authenticated key exchange mechanism (Vendor Advisory).