Dovecot: Dovecot authentication is vulnerable to timing attacks.

2017-04-08T20:22:49
ID H1:219607
Type hackerone
Reporter edoverflow
Modified 2017-04-13T09:14:06

Description

Dear Dovecot bug bounty team,

Dovecot is vulnerable to timing attacks, because the verify_credentials() function in CRAM-MD5 performs a byte-by-byte comparison, which terminates early when two characters do not match.

Summary


Timing attacks are a type of side channel attack where one can discover valuable information by recording the time it takes for a cryptographic algorithm to execute.

👎 Don't use memcmp() here:

~~~ if (i == 0) { / verify response / if (memcmp(response_hex, request - > response, 32) != 0) { auth_request_log_info( & request - > auth_request, AUTH_SUBSYS_MECH, "password mismatch"); return FALSE; } } else { request - > rspauth = p_strconcat(request - > pool, "rspauth=", response_hex, NULL); } ~~~

Link to source code: https://github.com/dovecot/core/blob/master/src/auth/mech-digest-md5.c

The same applies in https://github.com/dovecot/core/blob/master/src/auth/mech-cram-md5.c:

~~~ if (memcmp(response_hex, request - > response, sizeof(digest) * 2) != 0) { auth_request_log_info( & request - > auth_request, AUTH_SUBSYS_MECH, "password mismatch"); return FALSE; } ~~~

memcmp() does a byte-by-byte comparison of two values and as soon as the two differentiate it terminates. This means the longer it takes until the operation returns, the more correct characters the attacker has guessed.

Link to source code:

👍 Use this instead:

I would highly recommend you use OpenSSL's CRYPTO_memcmp().

On a side note, this issue appears in other places too, so I will have another thorough look.

Best regards, Ed