Bugzilla – Bug 963329
VUL-0: CVE-2015-7576: rubygem-actionpack, rubygem-activesupport: Timing attack vulnerability in basic authentication in Action Controller
Last modified: 2017-09-11 16:03:55 UTC
EMBARGOED via distros CRD: 2016-01-25 Timing attack vulnerability in basic authentication in Action Controller. There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576. Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 Impact ------ Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. For example, this string comparison: "foo" == "bar" is possibly faster than this comparison: "foo" == "fo1" Attackers can use this information to attempt to guess the username and password used in the basic authentication system. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/basic_auth_fix.rb module ActiveSupport module SecurityUtils def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end module_function :secure_compare def variable_size_secure_compare(a, b) secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) end module_function :variable_size_secure_compare end end module ActionController class Base def self.http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| # This comparison uses & so that it doesn't short circuit and # uses `variable_size_secure_compare` so that length information # isn't leaked. ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-basic_auth.patch - Patch for 4.1 series * 4-2-basic_auth.patch - Patch for 4.2 series * 5-0-basic_auth.patch - Patch for 5.0 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to Daniel Waterworth for reporting the problem and working with us to fix it.
Created attachment 662977 [details] 5-0-basic_auth.patch
Created attachment 662978 [details] 4-2-basic_auth.patch
Created attachment 662979 [details] 4-1-basic_auth.patch
Created attachment 662980 [details] 3-2-basic_auth.patch
bugbot adjusting priority
public at http://seclists.org/oss-sec/2016/q1/201
Created attachment 663243 [details] an example rails application with authentication I don't know how to test this fix. I have attached an example rails application that uses the http_basic_authenticate_with metho, in order to test there is no regression.
This is an autogenerated message for OBS integration: This bug (963329) was mentioned in https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
This is an autogenerated message for OBS integration: This bug (963329) was mentioned in https://build.opensuse.org/request/show/356315 13.2 / rubygem-actionpack-3_2 https://build.opensuse.org/request/show/356316 13.2 / rubygem-activesupport-3_2 https://build.opensuse.org/request/show/356321 42.1 / rubygem-activesupport-4_2
all submissions done. I am clearing the needinfo from astieger since he already answered on using is_maintained.rb I am assigning it to security team for revision.
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752 Sources used: openSUSE 13.2 (src): rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332,963334,963335 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753 Sources used: openSUSE Leap 42.1 (src): rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
SUSE-SU-2016:0435-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963334 CVE References: CVE-2015-7576,CVE-2016-0753 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-activesupport-4_2-4.2.2-6.1
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-actionpack-4_2-4.2.2-6.1
patch for 4-1-basic-auth.patch is based on rubygem-active_support 4.1.14+ , version 4.1.9 hasn't active_support/security_utils module
SUSE-SU-2016:0600-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963334 CVE References: CVE-2015-7576,CVE-2016-0753 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-activesupport-4_1-4.1.9-12.1
SUSE-SU-2016:0618-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332 CVE References: CVE-2015-7576,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE Webyast 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Studio Onsite 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE-SU-2016:0623-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963329 CVE References: CVE-2015-7576 Sources used: SUSE Webyast 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.18.1 SUSE Studio Onsite 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.18.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-activesupport-3_2-3.2.12-0.18.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): rubygem-activesupport-3_2-3.2.12-0.18.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-activesupport-3_2-3.2.12-0.18.1
Jordi, please check comment #c27 , it lead to rejection of rubygem-actionpack-4_1.SUSE_SLE-11-SP3_Update_Cloud5_Test_Update
I've submitted this morning this new request: https://build.suse.de/request/show/102862
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-actionpack-4_1-4.1.9-9.1
Update has been released