Bug 963329 - (CVE-2015-7576) VUL-0: CVE-2015-7576: rubygem-actionpack, rubygem-activesupport: Timing attack vulnerability in basic authentication in Action Controller
(CVE-2015-7576)
VUL-0: CVE-2015-7576: rubygem-actionpack, rubygem-activesupport: Timing attac...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2015-7576:4.3:(AV:N...
:
Depends on:
Blocks: 963563
  Show dependency treegraph
 
Reported: 2016-01-23 21:18 UTC by Andreas Stieger
Modified: 2017-09-11 16:03 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
jsegitz: needinfo? (mrueckert)


Attachments
5-0-basic_auth.patch (2.47 KB, patch)
2016-01-23 21:19 UTC, Andreas Stieger
Details | Diff
4-2-basic_auth.patch (2.47 KB, patch)
2016-01-23 21:19 UTC, Andreas Stieger
Details | Diff
4-1-basic_auth.patch (2.97 KB, patch)
2016-01-23 21:20 UTC, Andreas Stieger
Details | Diff
3-2-basic_auth.patch (3.06 KB, patch)
2016-01-23 21:20 UTC, Andreas Stieger
Details | Diff
an example rails application with authentication (293.13 KB, application/x-bzip)
2016-01-26 12:56 UTC, Jordi Massaguer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 21:18:38 UTC
EMBARGOED via distros
CRD: 2016-01-25

Timing attack vulnerability in basic authentication in Action Controller.

There is a timing attack vulnerability in the basic authentication support
in Action Controller. This vulnerability has been assigned the CVE
identifier CVE-2015-7576.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact
------
Due to the way that Action Controller compares user names and passwords in
basic authentication authorization code, it is possible for an attacker to
analyze the time taken by a response and intuit the password.

For example, this string comparison:

  "foo" == "bar"

is possibly faster than this comparison:

  "foo" == "fo1"

Attackers can use this information to attempt to guess the username and
password used in the basic authentication system.

You can tell you application is vulnerable to this attack by looking for
`http_basic_authenticate_with` method calls in your application.

All users running an affected release should either upgrade or use one of
the workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

```
$ cat config/initializers/basic_auth_fix.rb
module ActiveSupport
  module SecurityUtils
    def secure_compare(a, b)
      return false unless a.bytesize == b.bytesize

      l = a.unpack "C#{a.bytesize}"

      res = 0
      b.each_byte { |byte| res |= byte ^ l.shift }
      res == 0
    end
    module_function :secure_compare

    def variable_size_secure_compare(a, b)
      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
    end
    module_function :variable_size_secure_compare
  end
end

module ActionController
  class Base
    def self.http_basic_authenticate_with(options = {})
      before_action(options.except(:name, :password, :realm)) do
        authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
          # This comparison uses & so that it doesn't short circuit and
          # uses `variable_size_secure_compare` so that length information
          # isn't leaked.
          ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
            ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
        end
      end
    end
  end
end
```


Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 4-1-basic_auth.patch - Patch for 4.1 series
* 4-2-basic_auth.patch - Patch for 4.2 series
* 5-0-basic_auth.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------

Thank you to Daniel Waterworth for reporting the problem and working with us to
fix it.
Comment 1 Andreas Stieger 2016-01-23 21:19:11 UTC
Created attachment 662977 [details]
5-0-basic_auth.patch
Comment 2 Andreas Stieger 2016-01-23 21:19:38 UTC
Created attachment 662978 [details]
4-2-basic_auth.patch
Comment 3 Andreas Stieger 2016-01-23 21:20:00 UTC
Created attachment 662979 [details]
4-1-basic_auth.patch
Comment 4 Andreas Stieger 2016-01-23 21:20:23 UTC
Created attachment 662980 [details]
3-2-basic_auth.patch
Comment 5 Swamp Workflow Management 2016-01-23 23:00:50 UTC
bugbot adjusting priority
Comment 10 Andreas Stieger 2016-01-26 07:21:30 UTC
public at http://seclists.org/oss-sec/2016/q1/201
Comment 13 Jordi Massaguer 2016-01-26 12:56:37 UTC
Created attachment 663243 [details]
an example rails application with authentication

I don't know how to test this fix. I have attached an example rails application that uses the http_basic_authenticate_with metho, in order to test there is no regression.
Comment 20 Bernhard Wiedemann 2016-01-27 16:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (963329) was mentioned in
https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
Comment 21 Bernhard Wiedemann 2016-01-27 17:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (963329) was mentioned in
https://build.opensuse.org/request/show/356315 13.2 / rubygem-actionpack-3_2
https://build.opensuse.org/request/show/356316 13.2 / rubygem-activesupport-3_2
https://build.opensuse.org/request/show/356321 42.1 / rubygem-activesupport-4_2
Comment 22 Jordi Massaguer 2016-01-28 08:57:19 UTC
all submissions done.

I am clearing the needinfo from astieger since he already answered on using is_maintained.rb

I am assigning it to security team for revision.
Comment 23 Swamp Workflow Management 2016-02-07 19:12:55 UTC
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752
Sources used:
openSUSE 13.2 (src):    rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
Comment 24 Swamp Workflow Management 2016-02-07 19:17:42 UTC
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332,963334,963335
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753
Sources used:
openSUSE Leap 42.1 (src):    rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
Comment 25 Swamp Workflow Management 2016-02-11 20:12:59 UTC
SUSE-SU-2016:0435-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963334
CVE References: CVE-2015-7576,CVE-2016-0753
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-activesupport-4_2-4.2.2-6.1
Comment 26 Swamp Workflow Management 2016-02-15 17:12:39 UTC
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-actionpack-4_2-4.2.2-6.1
Comment 27 Ondřej Súkup 2016-02-25 08:54:22 UTC
patch for 4-1-basic-auth.patch is based on rubygem-active_support 4.1.14+ , version 4.1.9 hasn't active_support/security_utils module
Comment 28 Swamp Workflow Management 2016-02-26 18:12:39 UTC
SUSE-SU-2016:0600-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963334
CVE References: CVE-2015-7576,CVE-2016-0753
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-activesupport-4_1-4.1.9-12.1
Comment 29 Swamp Workflow Management 2016-03-01 17:14:57 UTC
SUSE-SU-2016:0618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332
CVE References: CVE-2015-7576,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Webyast 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
Comment 30 Swamp Workflow Management 2016-03-01 17:22:49 UTC
SUSE-SU-2016:0623-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 963329
CVE References: CVE-2015-7576
Sources used:
SUSE Webyast 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.18.1
SUSE Studio Onsite 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.18.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-activesupport-3_2-3.2.12-0.18.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    rubygem-activesupport-3_2-3.2.12-0.18.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-activesupport-3_2-3.2.12-0.18.1
Comment 31 Marcus Meissner 2016-03-14 13:44:20 UTC
Jordi, please check comment #c27 , it lead to rejection of

 rubygem-actionpack-4_1.SUSE_SLE-11-SP3_Update_Cloud5_Test_Update
Comment 32 Jordi Massaguer 2016-03-14 15:22:14 UTC
I've submitted this morning this new request:

https://build.suse.de/request/show/102862
Comment 33 Swamp Workflow Management 2016-03-22 20:08:47 UTC
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionpack-4_1-4.1.9-9.1
Comment 34 Jordi Massaguer 2016-04-26 09:23:41 UTC
Update has been released