CVE-2015-7576

Опубликовано: 25 янв. 2016

Источник: redhat

CVSS2: 4.3

EPSS Низкий

Описание

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.

Меры по смягчению последствий

Use following code to monkey-patch http_basic_authenticate_with method in ActionController:

module ActiveSupport module SecurityUtils def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end module_function :secure_compare def variable_size_secure_compare(a, b) secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) end module_function :variable_size_secure_compare end end module ActionController class Base def self.http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| # This comparison uses & so that it doesn't short circuit and # uses `variable_size_secure_compare` so that length information # isn't leaked. ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end end end

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5.2	ruby193-rubygem-actionpack	Will not fix
CloudForms Management Engine 5.3	ruby193-rubygem-actionpack	Will not fix
Red Hat Subscription Asset Manager	ruby193-rubygem-actionpack	Will not fix
Red Hat Subscription Asset Manager	rubygem-actionpack	Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-ror41-rubygem-actionpack	Fixed	RHSA-2016:0296	24.02.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-ror41-rubygem-actionview	Fixed	RHSA-2016:0296	24.02.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-ror41-rubygem-activemodel	Fixed	RHSA-2016:0296	24.02.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-ror41-rubygem-activerecord	Fixed	RHSA-2016:0296	24.02.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	rh-ror41-rubygem-activesupport	Fixed	RHSA-2016:0296	24.02.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6	ror40-rubygem-actionpack	Fixed	RHSA-2016:0454	15.03.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-385

https://bugzilla.redhat.com/show_bug.cgi?id=1301933rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller

EPSS

Процентиль: 81%

0.01574

Низкий

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2015-7576

CVSS3: 3.7

ubuntu

почти 10 лет назад

CVE-2015-7576

CVSS3: 3.7

nvd

почти 10 лет назад

CVE-2015-7576

CVSS3: 3.7

debian

почти 10 лет назад

The http_basic_authenticate_with method in actionpack/lib/action_contr ...

SUSE-SU-2016:0968-1

suse-cvrf

почти 10 лет назад

Security update for rubygem-activesupport-3_2

SUSE-SU-2016:0623-1

suse-cvrf

почти 10 лет назад

Security update for rubygem-activesupport-3_2

EPSS

Процентиль: 81%

0.01574

Низкий

4.3 Medium

CVSS2