Potential timing attack for API key check #2819
Assignees
Labels
Comments
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Submitting on behalf of user.
The following code (
caldera/app/service/auth_svc.py
Lines 145 to 147 in 6507725
In a review of the Caldera source code, I believe to have discovered a potential timing attack vulnerability in Caldera's authentication service. I noticed that comparison of each request's API key is done with a simple "==" comparison, instead of the timing-attack-resistant "hmac.compare_digest". Given that Caldera is commonly deployed on users' LAN networks, the likelihood of a timing attack from a malicious actor already within the LAN is more practical. This vulnerability could allow for an attacker to measure timing differences during comparison of the API key for each request. Given enough sample timings, this would leak valid characters from the API key, as correct guesses will take longer to return due to the implementation of the "==" comparison.
To Reproduce
Steps to reproduce the behavior:
1.
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: