There is no final patch for this issue yet. The difficulty is that there's
currently no constant time memcmp() function available in the xorg-server
code. Apart from that the fix should be as easy as to replace the memcmp() in
MitCheckCookie() by a call to some memcmp_const_time() function.

Even the oldest codestream SUSE:SLE-10-SP3:Updatei contains the
MitCheckCookie() function and the memcmp() call. So we can consider all
codestreams as affected.

We will give an update once we know about the final patch.

bugbot adjusting priority

was published on full-disclosure

Created attachment 715738 [details]
X41-2017-001.txt

X41-2017-001.txt advisory

X41 D-Sec GmbH Security Advisory: X41-2017-001

Multiple Vulnerabilities in X.org
=================================

Overview
--------
Vendor: X.org/Freedesktop.org
Vendor URL: https://www.x.org/wiki/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
Status: Public


Timing attack against MIT Cookie
================================
Vulnerability Type: Other
Affected Products: Xorg Server
Attack Type: Local
Impact: Escalation of Privileges        
Severity Rating: low
Confirmed Affected Version: 1.19.0 and lower
Confirmed Patched Version: -
Vector: local
CVE: CVE-2017-2624
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N


Summary and Impact
------------------
The xorg-server uses memcmp() to check the received MIT cookie against a
series of valid cookies. If the cookie is correct, it is allowed to
attach to the Xorg session:

        XID
        MitCheckCookie(unsigned short data_length,
                       const char *data, ClientPtr client, const char **reason)
        {
            struct auth *auth;
        
            for (auth = mit_auth; auth; auth = auth->next) {
                if (data_length == auth->len &&
                    memcmp(data, auth->data, (int) data_length) == 0)
                    return auth->id;
            }
            *reason = "Invalid MIT-MAGIC-COOKIE-1 key";
            return (XID) -1;
        }

Since most memcmp() implementations return after an invalid byte is
seen, this causes a time difference between a valid and invalid byte,
which in theory could allow an efficient brute force attack[1].

Analysis
--------
X41 was not able to measure a significant difference using the optimised
memcmp() version of a standard Linux system, but for a naive
implementation consisting of a loop comparing the bytes. Since timing
attacks against memcmp() have been successful in the past [2] and fixed
elsewhere [3][4] X41 would consider this an issue. If this would be
exploited, it would allow a local attacker to run code in the Xorg
session of another user.

In order to prevent this, MIT-COOKIES should be removed or a memcmp()
similar to timingsafe_memcmp()[5] used. Other projects (e.g. openssl)
use timing safe memcmp() implementations to compare cookies retrieved
via the network[6].

Workaround
----------

None

References

Just found in git:

commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Feb 28 19:18:25 2017 +0100

    Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624
    
    Provide the function definition for systems that don't have it.
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

According to Michal Srb this is the fix.

Already fixed in factory/TW (xorg-server-1.19.3).

This is an autogenerated message for OBS integration:
This bug (1025029) was mentioned in
https://build.opensuse.org/request/show/502781 Factory / xorg-x11-server

Submitted to sle11-sp3: SR#133961
Submitted to sle11-sp1: SR#133962
Submitted to sle10-sp3: SR#133963

Reassigning to security team ...

This is an autogenerated message for OBS integration:
This bug (1025029) was mentioned in
https://build.opensuse.org/request/show/502874 42.2 / xorg-x11-server

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63669

openSUSE-SU-2017:1610-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1025029,1025035,1025084
CVE References: CVE-2017-2624
Sources used:
openSUSE Leap 42.2 (src):    xorg-x11-server-7.6_1.18.3-12.15.2

SUSE-SU-2017:1675-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1019649,1021803,1025029,1025035,1025084,1025985,1032509,1039042
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1

SUSE-SU-2017:1741-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1019649,1025029,1025035,1025084,981044
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.118.1

done