Lagging Mastodon admins urged to patch critical account takeover flaw (CVE-2024-23832)

Five days after Mastodon developers pushed out fixes for a remotely exploitable account takeover vulnerability (CVE-2024-23832), over 66% of Mastodon servers out there have been upgraded to close the hole.

About Mastodon

Mastodon is open-source (server) software for running self-hosted social networking services within the wider Fediverse.

The Fediverse is powered by the ActivityPub social networking protocol and consists of many social networks powered by different software. Unlike other social media networks, the Fediverse is decentralized.

Mastodon users gather on a variety of different servers (aka instances), run by different people or organizations, which makes the uptake of the latest security updates quite impressive.

About CVE-2024-23832

CVE-2024-23832 stems from insufficient origin validation, and may allow attackers to “impersonate and take over any remote account,” the security advisory briefly explains.

“Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.”

The vulnerability has been privately reported and additional technical details will be witheld until February 15, “when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.”

Mastodon server admins have been alerted to the necessity of implementing the critical security update via email and via unmissable prompts in the admin panel, which might explain the satisfactory uptake of security updates.

This is not the first time that a critical, easily exploited vulnerability has been fixed in the Mastodon software.

Last year, German pentesting outfit Cure53 reported five vulnerabilities, one of which (CVE-2023-36460) allowed attackers to send a toot (Mastodon post/message) that can create arbitrary (malicious) files on instances that process the message. All five flaws were quickly fixed by the project maintainers.

UPDATE (February 18, 2024, 15:15 p.m. ET):

More details about CVE-2024-23832 have been revealed.

“This vulnerability allowed attackers to impersonate any remote ActivityPub actor as observed from a vulnerable Mastodon server, even if the remote server did not use Mastodon. This vulnerability could also be used to overwrite existing objects, including protocol details, allowing attackers to intercept further trafic between a vulnerable Mastodon server and an impersonated remote ActivityPub actor,” it has been explained.

A technical write-up explaining the issue and a PoC are available here.