Bug 1025029 (CVE-2017-2624)

Summary: VUL-0: CVE-2017-2624: xorg-x11-server: Timing attack against MIT Cookie
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, cdhuang, matthias.gerstner, meissner, sndirsch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2017-2624:4.0:(AV:L/AC:H/Au:N/C:C/I:N/A:N) CVSSv3.1:SUSE:CVE-2017-2624:5.9:(AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) maint:planned:update maint:released:sle10-sp3:63670 maint:running:63669:moderate
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1025639    
Attachments: X41-2017-001.txt

Description Matthias Gerstner 2017-02-13 15:54:07 UTC
Embargoed until 2017-02-28.

Received via private discussion on mailing list:

Summary and Impact
------------------

xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check
the received MIT cookie against a series of valid cookies. If the cookie
is correct, it is allowed to attach to the Xorg session. Since most
memcmp() implementations return after an invalid
byte is seen, this causes a time difference between a valid and invalid
byte, which in theory could allow an efficient brute force attack[1].

Analysis
--------
X41 was not able to measure a significant difference using the optimized
memcmp() version of a standard linux system, but for a naiive implementation
consisting of a loop comparing the bytes. Since timing attacks against
memcmp() have been successfull in the past [2] and fixed elsewhere
[3][4] X41 would consider this an issue. If this would be exploited, it
would allow a local attacker to run code in the Xorg session of another
user.

In order to prevent this, MIT-COOKIES should be removed or a memcmp()
similar to timingsafe_memcmp()[5] used. Other projects (e.g. openssl)
use timing safe memcmp() implementations to compare cookies retrieved
via the network[6].

References
----------

[1] https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time
[2] http://de.slideshare.net/cisoplatform7/defcon-22paulmcmillanattackingtheiotusingtimingattac
[3] http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf
[4] https://bugs.ruby-lang.org/issues/10098
[5] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/timingsafe_memcmp.c
[6] https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L1249 ).
Comment 1 Matthias Gerstner 2017-02-13 15:57:23 UTC
There is no final patch for this issue yet. The difficulty is that there's
currently no constant time memcmp() function available in the xorg-server
code. Apart from that the fix should be as easy as to replace the memcmp() in
MitCheckCookie() by a call to some memcmp_const_time() function.

Even the oldest codestream SUSE:SLE-10-SP3:Updatei contains the
MitCheckCookie() function and the memcmp() call. So we can consider all
codestreams as affected.

We will give an update once we know about the final patch.
Comment 2 Swamp Workflow Management 2017-02-13 23:01:31 UTC
bugbot adjusting priority
Comment 6 Marcus Meissner 2017-02-28 14:48:23 UTC
was published on full-disclosure
Comment 7 Marcus Meissner 2017-02-28 14:55:23 UTC
Created attachment 715738 [details]
X41-2017-001.txt

X41-2017-001.txt advisory

X41 D-Sec GmbH Security Advisory: X41-2017-001

Multiple Vulnerabilities in X.org
=================================

Overview
--------
Vendor: X.org/Freedesktop.org
Vendor URL: https://www.x.org/wiki/
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
Status: Public


Timing attack against MIT Cookie
================================
Vulnerability Type: Other
Affected Products: Xorg Server
Attack Type: Local
Impact: Escalation of Privileges        
Severity Rating: low
Confirmed Affected Version: 1.19.0 and lower
Confirmed Patched Version: -
Vector: local
CVE: CVE-2017-2624
CVSS Score: 5.9
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N


Summary and Impact
------------------
The xorg-server uses memcmp() to check the received MIT cookie against a
series of valid cookies. If the cookie is correct, it is allowed to
attach to the Xorg session:

        XID
        MitCheckCookie(unsigned short data_length,
                       const char *data, ClientPtr client, const char **reason)
        {
            struct auth *auth;
        
            for (auth = mit_auth; auth; auth = auth->next) {
                if (data_length == auth->len &&
                    memcmp(data, auth->data, (int) data_length) == 0)
                    return auth->id;
            }
            *reason = "Invalid MIT-MAGIC-COOKIE-1 key";
            return (XID) -1;
        }

Since most memcmp() implementations return after an invalid byte is
seen, this causes a time difference between a valid and invalid byte,
which in theory could allow an efficient brute force attack[1].

Analysis
--------
X41 was not able to measure a significant difference using the optimised
memcmp() version of a standard Linux system, but for a naive
implementation consisting of a loop comparing the bytes. Since timing
attacks against memcmp() have been successful in the past [2] and fixed
elsewhere [3][4] X41 would consider this an issue. If this would be
exploited, it would allow a local attacker to run code in the Xorg
session of another user.

In order to prevent this, MIT-COOKIES should be removed or a memcmp()
similar to timingsafe_memcmp()[5] used. Other projects (e.g. openssl)
use timing safe memcmp() implementations to compare cookies retrieved
via the network[6].

Workaround
----------

None

References
Comment 8 Stefan Dirsch 2017-03-03 15:34:47 UTC
Just found in git:

commit d7ac755f0b618eb1259d93c8a16ec6e39a18627c
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Tue Feb 28 19:18:25 2017 +0100

    Use timingsafe_memcmp() to compare MIT-MAGIC-COOKIES CVE-2017-2624
    
    Provide the function definition for systems that don't have it.
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Comment 9 Stefan Dirsch 2017-06-07 15:28:40 UTC
According to Michal Srb this is the fix.
Comment 11 Stefan Dirsch 2017-06-10 11:49:01 UTC
Already fixed in factory/TW (xorg-server-1.19.3).
Comment 12 Bernhard Wiedemann 2017-06-10 12:00:58 UTC
This is an autogenerated message for OBS integration:
This bug (1025029) was mentioned in
https://build.opensuse.org/request/show/502781 Factory / xorg-x11-server
Comment 13 Stefan Dirsch 2017-06-11 12:15:43 UTC
Submitted to sle11-sp3: SR#133961
Submitted to sle11-sp1: SR#133962
Submitted to sle10-sp3: SR#133963

Reassigning to security team ...
Comment 14 Bernhard Wiedemann 2017-06-11 14:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (1025029) was mentioned in
https://build.opensuse.org/request/show/502874 42.2 / xorg-x11-server
Comment 17 Swamp Workflow Management 2017-06-12 12:33:20 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63669
Comment 18 Swamp Workflow Management 2017-06-19 19:09:41 UTC
openSUSE-SU-2017:1610-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1025029,1025035,1025084
CVE References: CVE-2017-2624
Sources used:
openSUSE Leap 42.2 (src):    xorg-x11-server-7.6_1.18.3-12.15.2
Comment 19 Swamp Workflow Management 2017-06-26 13:14:26 UTC
SUSE-SU-2017:1675-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1019649,1021803,1025029,1025035,1025084,1025985,1032509,1039042
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Server 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    xorg-x11-server-7.6_1.18.3-71.1
Comment 20 Swamp Workflow Management 2017-06-30 19:10:18 UTC
SUSE-SU-2017:1741-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1019649,1025029,1025035,1025084,981044
CVE References: CVE-2017-2624
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-server-7.4-27.118.1
Comment 21 Marcus Meissner 2017-07-01 07:48:49 UTC
done