Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v1.0.0b] - Time based user enumeration in the /api/auth/token endpoint #1336

Closed
5 tasks done
underfl0w opened this issue Jun 2, 2022 · 1 comment · Fixed by #1338
Closed
5 tasks done

[v1.0.0b] - Time based user enumeration in the /api/auth/token endpoint #1336

underfl0w opened this issue Jun 2, 2022 · 1 comment · Fixed by #1338
Labels
Milestone

Comments

@underfl0w
Copy link
Contributor

underfl0w commented Jun 2, 2022

First Check

  • This is not a feature request
  • I added a very descriptive title to this issue.
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the Mealie documentation, with the integrated search.
  • I already read the docs and didn't find an answer.

What is the issue you are experiencing?

Time-based user enumeration

The login functionality of Mealie allows an unauthenticated user to enumerate existing accounts by timing the server's response time.

The average time it takes the API server to respond is significantly lower for non-existing users than existing users.

Pasted image 20220602164724

Impact

The impact on Mealie is low (3,7); there will only be a handful of users on any deployment of Mealie. I am assuming that the probability of finding valid usernames on a randomly exposed instance is low.

The attack complexity is high, and the impact on confidentiality is low.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N - Low 3,7
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

The vulnerability is related to CWE-203.

Fixes

Perform cryptographic operation

Is also possible to separate the logic of checking passwords and usernames inside the core/security/security.py into two different checks.

Then adding the verify_password function with some random invalid data to make sure that both checks will take a similar amount of time to complete

    if not user:
        verify_password("abc123cba321", "$2b$12$JdHtJOlkPFwyxdjdygEzPOtYmdQF5/R5tHxw5Tq8pxjubyLqdIX5i")
        return False
    
    if not verify_password(password, user.password):
        return False

Set minimum response time

A possible fix would be setting a minimal randomized time that is required before the auth function returns a response code. The time should be between the fastest and slowest time it takes to calculate and compare the password hash.

Pasted image 20220602164711

References

https://www.hacksplaining.com/prevention/user-enumeration
https://cwe.mitre.org/data/definitions/203.html
https://www.cvedetails.com/vulnerability-list/cweid-203/vulnerabilities.html

Deployment

Docker (Linux), Other

Deployment Details

No response

@hay-kot hay-kot modified the milestone: v1.0.0beta-3 Jun 2, 2022
@underfl0w
Copy link
Contributor Author

This is my attempt of implementing a fix by adding a randomized time delay. I'm not experienced with software development so it will probably have to be reworked.

https://github.com/underfl0w/mealie/blob/Token_delay/mealie/routes/auth/auth.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants