Executive Summary

This vulnerability affects Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13. It allows unauthenticated users to delete uploaded files by exploiting the deleteFileMessage Meteor method. This method deletes files by their ID without requiring any authentication because the authorization check is bypassed when called via an unauthenticated DDP WebSocket connection. The system mistakenly treats the user as authenticated due to Meteor.userId() returning null, which causes the deletion to proceed unconditionally. File IDs can be found from public channel message payloads and download URLs, making it possible for attackers to identify and delete files they should not have access to.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the permanent deletion of uploaded files without any authentication or authorization. An attacker can remove important or sensitive files from the Rocket.Chat storage and database simply by knowing the file IDs, which are publicly accessible. This can result in data loss, disruption of communication, and potential damage to business operations relying on the integrity and availability of these files.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthenticated deletion of uploaded files via the deleteFileMessage Meteor method over DDP WebSocket connections. Detection would involve monitoring for unauthenticated DDP WebSocket requests invoking deleteFileMessage with file IDs.

Since file IDs are discoverable from public channel message payloads and download URLs, suspicious or unexpected deleteFileMessage calls without authentication could indicate exploitation attempts.

However, no specific detection commands or tools are provided in the available information.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability affects Rocket.Chat versions prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13.

Immediate mitigation should include upgrading Rocket.Chat to version 8.5.1 or later (or the corresponding fixed versions) where this unauthenticated file deletion issue is resolved.

Until an upgrade can be performed, restricting access to the DDP WebSocket endpoint to authenticated users only or implementing network-level controls to block unauthenticated deleteFileMessage calls may help reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated deletion of uploaded files in Rocket.Chat, which could lead to loss of data integrity and availability.

Since files can be deleted without authentication and file IDs are publicly discoverable, this could impact compliance with standards like GDPR and HIPAA that require protection of data integrity and availability.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Useful 0 Not Useful 0