CVE-2024-45192: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Matrix libolm through 3.2.16 where cache-timing attacks can occur due to use of base64 when decoding group session keys. This vulnerability affects the libolm implementation of Olm and only impacts products that are no longer supported by the maintainer. The issue was discovered in August 2024 and has been assigned CVE-2024-45192 (NVD, Matrix Commit).

The vulnerability stems from timing leakage in the base64 decoding function used to load group session keys. The implementation uses table lookups indexed by secret data, which creates observable timing differences between cache hits and misses. This allows attackers to potentially extract sensitive information through cache-timing side-channel attacks. The CVSS 3.1 base score is 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow attackers to extract sensitive cryptographic key material through timing analysis of the base64 decoding operations. This affects the security of end-to-end encrypted communications for Matrix clients using libolm, potentially compromising message confidentiality (Security Blog).

The Matrix team has deprecated libolm and recommends all Matrix clients migrate to vodozemac, their new Rust-based implementation. No direct fixes will be implemented for libolm due to its deprecated status. Clients still using libolm should prioritize migration to vodozemac (Matrix Commit).

The disclosure sparked significant discussion in the security community, particularly after Matrix developers acknowledged they knowingly shipped code with timing side-channels for years. This admission led to criticism from security researchers and raised concerns about Matrix's approach to cryptographic security (HN Discussion).