Bitwarden Vulnerabilities: How affected is vaultwarden? [ZKAE]

[Starbix]

Bitwarden's claims about Zero knowledge encryption were recently analysed: https://zkae.io
It concerns the assumption of a malicious server and shows 12 distinct attacks against Bitwarden.
How affected is vaultwarden to these attacks?

[BlackDex]

Sync encryption is done fully client-side, i would think that all items are applicable.

[Starbix]

True, I guess the attacks have been mitigated by client updates. I haven't read the paper in detail, but in case there are attacks working on the data on disk created by vaultwarden could be attacked by a malicious server with access to data, in which case vaultwarden could be affected.

[winterdeaf]

Author of the paper here! Most mitigation are indeed client-side, and some are still rolling out.

Something Vaultwarden should check is whether the server signals support for "per-item keys" or "Cipher Keys". Clients enable that feature depending on the server version string and a feature flag.
Without the right CIPHER_KEY_ENC_MIN_SERVER_VER, client never start adding cipher keys to item, making vaults vulnerable to many malicious-server attacks.

[BlackDex]

We report the a newer version of the server, but even Bitwarden it self does not enable cipher-key-encryption.
And that probably is for a reason, and therefor we do not enable this either, as it's still experimental and had several issues in the past as far as i know.

[winterdeaf]

Would it make sense for Vaultwarden to expose the flag as a configuration setting? As it stands, a compromised server can trivially exfiltrate passwords by carrying out the "Icon URL Item Decryption" (BW06) attack. (Some restrictions apply, e.g. the attack only works for passwords that contain a . character and no exclamation mark.)

For people who run their own Vaultwarden(/Bitwarden) server in the cloud, law enforcement or malicious actors with physical access could carry out the attack with relative ease.

As it stands, there is also no migration path for items that are created without per-item keys: every item created while cipher-key-encryption is disabled may forever remain vulnerable.

[quexten]

And that probably is for a reason, and therefor we do not enable this either, as it's still experimental and had several issues in the past as far as i know.

Cipher-key encryption is being rolled-out on upstream prod currently. In the past it did have issues but they are remediated at this point. At some (near) point, the flag will be removed and defaulted to being on in the clients at which point self-hosted installations such as vaultwarden will also have it default enabled.

[pamperer562580892423]

FYI, Bitwarden released the following blog post about that (at the bottom there, one can access the complete report): https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/