CVE-2024-45191: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Matrix libolm through version 3.2.16. The vulnerability affects the AES implementation in the library, which is susceptible to cache-timing attacks due to the use of S-boxes in its lookup table for the SubWord step. This vulnerability was assigned CVE-2024-45191 and was disclosed in August 2024. The issue affects multiple Matrix clients that still rely on the libolm library for cryptographic operations (NVD, Security Blog).

The vulnerability stems from the software implementation of AES that uses lookup tables for the SubWord operation. The implementation allows attackers to detect whether specific values were present in the processor's caches through timing differences between cache hits and misses. This creates an observable timing channel that could potentially leak sensitive information. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The cache-timing vulnerability could potentially allow attackers to extract secret key information through statistical analysis of timing differences. Similar vulnerabilities in other implementations have historically been exploited to extract secret keys from systems in milliseconds. The impact is particularly concerning as this affects the cryptographic library used for end-to-end encryption in Matrix clients (Security Blog).

The Matrix team has deprecated libolm in favor of vodozemac, their new Rust-based implementation. Users and developers are strongly encouraged to migrate to vodozemac. The proper mitigation for this type of vulnerability is to use hardware-accelerated AES implementation where available, or fall back to a constant-time bitsliced implementation for platforms without hardware acceleration (Security Blog).

The disclosure sparked significant discussion in the security community, particularly after it was revealed that the Matrix developers were aware of these issues but had chosen not to fix them. This admission led to increased criticism of the project's security practices and recommendations against using Matrix for secure communications (Security Blog).