CVE-2022-45195: 
NixOS vulnerability analysis and mitigation

SimpleXMQ before version 3.4.0, as used in SimpleX Chat before 4.2, contained a vulnerability (CVE-2022-45195) related to the X3DH key exchange implementation for the double ratchet protocol. The vulnerability was discovered and disclosed in November 2022, affecting the cryptographic key derivation process (Trail of Bits Report, SimpleX Blog).

The vulnerability stems from a failure to apply a key derivation function to the concatenation of three DH operations in the X3DH key exchange process. This implementation error was identified during a security audit by Trail of Bits. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating a network-accessible vulnerability requiring high attack complexity (NVD).

The vulnerability could interfere with forward secrecy and potentially have other security impacts if there is a compromise of a single private key. However, since SimpleX does not perform X3DH with long-term identity keys, the impact of compromising a key would be limited to affecting only the secrets of the connection where the key was compromised (SimpleX Blog).

The vulnerability was fixed in SimpleXMQ version 3.4.0 and SimpleX Chat version 4.2. Users are recommended to update to these versions or later. For previously created connections, while they should be secure if both sides have sent messages, users who believe their private keys might have been compromised are advised to create new connections with their contacts (SimpleX Blog).

The vulnerability was discovered during a security audit by Trail of Bits, a US-based security and technology consultancy. The issue was classified as one of two medium-severity findings in their assessment of the SimpleX platform. The SimpleX team acknowledged the findings and promptly implemented fixes in their next release (SimpleX Blog).