Skip to content
Permalink
Browse files Browse the repository at this point in the history
[SECURITY] Mitigate timing discrepancies during user authentication
Observing response time during user authentication can be used to
distinguish between existing and non-existing user accounts. This
change introduces `MimicServiceInterface::mimicAuthUser` -  to be
implemented by 3rd party authentication services - which simulates
corresponding times regular processing would usually take.

Resolves: #98217
Releases: main, 11.5, 10.4
Change-Id: I143ae0d3877dffe6f2decbb3f0cf8c9d9cb6ca0b
Security-Bulletin: TYPO3-CORE-SA-2022-007
Security-References: CVE-2022-36105
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75716
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
ohader committed Sep 13, 2022
1 parent 179dd7c commit f8b83ce
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 1 deletion.
Expand Up @@ -579,6 +579,15 @@ public function checkAuthentication(ServerRequestInterface $request)
break;
}
}
// mimic user authentication to mitigate observable timing discrepancies
// @link https://cwe.mitre.org/data/definitions/208.html
} elseif ($activeLogin) {
$subType = 'authUser' . $this->loginType;
foreach ($this->getAuthServices($subType, $loginData, $authInfo) as $serviceObj) {
if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) {
break;
}
}
}

// If user is authenticated a valid user is in $tempuser
Expand Down
Expand Up @@ -28,7 +28,7 @@
/**
* Authentication services class
*/
class AuthenticationService extends AbstractAuthenticationService
class AuthenticationService extends AbstractAuthenticationService implements MimicServiceInterface
{
/**
* Process the submitted credentials.
Expand Down Expand Up @@ -174,6 +174,22 @@ public function authUser(array $user): int
return 200;
}

/**
* Mimics password hashing for invalid authentication requests to mitigate
* @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy
*/
public function mimicAuthUser(): bool
{
try {
$hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
$defaultHashInstance = $hashFactory->getDefaultHashInstance($this->pObj->loginType);
$defaultHashInstance->getHashedPassword(random_bytes(10));
} catch (\Exception) {
// no further processing here
}
return false;
}

/**
* Method updates a FE/BE user record - in this case a new password string will be set.
*
Expand Down
35 changes: 35 additions & 0 deletions typo3/sysext/core/Classes/Authentication/MimicServiceInterface.php
@@ -0,0 +1,35 @@
<?php

declare(strict_types=1);

/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/

namespace TYPO3\CMS\Core\Authentication;

interface MimicServiceInterface
{
/**
* Mimics user authentication for known invalid authentication requests. This method can be used
* to mitigate timing discrepancies for invalid authentication attempts, which can be used for
* user enumeration.
*
* Authentication services can implement this method to simulate(!) corresponding processes that
* would be processed during valid requests - e.g. perform password hashing (timing) or call
* remote services (network latency).
*
* @return bool whether other services shall continue
* @link https://cwe.mitre.org/data/definitions/208.html: CWE-208: Observable Timing Discrepancy
*/
public function mimicAuthUser(): bool;
}

0 comments on commit f8b83ce

Please sign in to comment.