GHSA-qjrq-hm79-49ww

Опубликовано: 22 мая 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

ginuerzh/gost vulnerable to Timing Attack

Timing attacks occur when an attacker can guess a secret by observing a difference in processing time for valid and invalid inputs. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparision function. More information on this attack type can be found in this blog post.

Root Cause Analysis

In this case, the vulnerability occurs due to the following code.

https://github.com/ginuerzh/gost/blob/1c62376e0880e4094bd3731e06bd4f7842638f6a/auth.go#L46-L46

Here, a untrusted input, sourced from a HTTP header, is compared directly with a secret. Since, this comparision is not secure, an attacker can mount a side-channel timing attack to guess the password.

Remediation

This can be easily fixed using a constant time comparing function such as crypto/subtle's ConstantTimeCompare. An example fix can be found in https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820 Alternatively, one can apply the patch below

From d18cff85e1a565f688f717fd8f2cacea62ff9dbf Mon Sep 17 00:00:00 2001 From: Porcupiney Hairs <porcupiney.hairs@protonmail.com> Date: Sun, 7 May 2023 01:03:33 +0530 Subject: [PATCH] Fix : Timing attack --- auth.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auth.go b/auth.go index 1be96e9..be13f23 100644 --- a/auth.go +++ b/auth.go @@ -2,6 +2,7 @@ package gost import ( "bufio" + "crypto/subtle" "io" "strings" "sync" @@ -43,7 +44,8 @@ func (au *LocalAuthenticator) Authenticate(user, password string) bool { } v, ok := au.kvs[user] - return ok && (v == "" || password == v) + passOk := subtle.ConstantTimeCompare([]byte(password), []byte(v)) == 0 + return ok && (v == "" || passOk) } // Add adds a key-value pair to the Authenticator. -- 2.25.1

Ссылки

Пакеты

Наименование

github.com/ginuerzh/gost

Затронутые версииВерсия исправления

<= 2.11.5

Отсутствует

EPSS

Процентиль: 44%

0.00215

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2023-32691

Дефекты

CWE-203

Связанные уязвимости

CVE-2023-32691

CVSS3: 5.9

nvd

больше 2 лет назад

gost (GO Simple Tunnel) is a simple tunnel written in golang. Sensitive secrets such as passwords, token and API keys should be compared only using a constant-time comparison function. Untrusted input, sourced from a HTTP header, is compared directly with a secret. Since this comparison is not secure, an attacker can mount a side-channel timing attack to guess the password. As a workaround, this can be easily fixed using a constant time comparing function such as `crypto/subtle`'s `ConstantTimeCompare`.

EPSS

Процентиль: 44%

0.00215

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2023-32691

Дефекты

CWE-203