ID CVE-2017-5361
Summary Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain sensitive user password information via a timing side-channel attack.
References
Vulnerable Configurations
  • bestpractical Request Tracker 4.0.0
    cpe:2.3:a:bestpractical:request_tracker:4.0.0
  • bestpractical Request Tracker 4.0.1
    cpe:2.3:a:bestpractical:request_tracker:4.0.1
  • bestpractical Request Tracker 4.0.2
    cpe:2.3:a:bestpractical:request_tracker:4.0.2
  • bestpractical Request Tracker 4.0.3
    cpe:2.3:a:bestpractical:request_tracker:4.0.3
  • bestpractical Request Tracker 4.0.4
    cpe:2.3:a:bestpractical:request_tracker:4.0.4
  • bestpractical Request Tracker 4.0.5
    cpe:2.3:a:bestpractical:request_tracker:4.0.5
  • bestpractical Request Tracker 4.0.6
    cpe:2.3:a:bestpractical:request_tracker:4.0.6
  • bestpractical Request Tracker 4.0.7
    cpe:2.3:a:bestpractical:request_tracker:4.0.7
  • bestpractical Request Tracker 4.0.8
    cpe:2.3:a:bestpractical:request_tracker:4.0.8
  • bestpractical Request Tracker 4.0.9
    cpe:2.3:a:bestpractical:request_tracker:4.0.9
  • bestpractical Request Tracker 4.0.10
    cpe:2.3:a:bestpractical:request_tracker:4.0.10
  • bestpractical Request Tracker 4.0.11
    cpe:2.3:a:bestpractical:request_tracker:4.0.11
  • bestpractical Request Tracker 4.0.12
    cpe:2.3:a:bestpractical:request_tracker:4.0.12
  • bestpractical Request Tracker 4.0.13
    cpe:2.3:a:bestpractical:request_tracker:4.0.13
  • Best Practical Request Tracker 4.0.14
    cpe:2.3:a:bestpractical:request_tracker:4.0.14
  • Best Practical Request Tracker 4.0.15
    cpe:2.3:a:bestpractical:request_tracker:4.0.15
  • Best Practical Request Tracker 4.0.16
    cpe:2.3:a:bestpractical:request_tracker:4.0.16
  • Best Practical Request Tracker 4.0.17
    cpe:2.3:a:bestpractical:request_tracker:4.0.17
  • Best Practical Request Tracker 4.0.18
    cpe:2.3:a:bestpractical:request_tracker:4.0.18
  • Best Practical Request Tracker 4.0.19
    cpe:2.3:a:bestpractical:request_tracker:4.0.19
  • Best Practical Request Tracker 4.0.20
    cpe:2.3:a:bestpractical:request_tracker:4.0.20
  • Best Practical Request Tracker 4.0.21
    cpe:2.3:a:bestpractical:request_tracker:4.0.21
  • Best Practical Request Tracker 4.0.22
    cpe:2.3:a:bestpractical:request_tracker:4.0.22
  • Best Practical Request Tracker 4.0.23
    cpe:2.3:a:bestpractical:request_tracker:4.0.23
  • Best Practical Request Tracker 4.0.24
    cpe:2.3:a:bestpractical:request_tracker:4.0.24
  • Best Practical Request Tracker 4.2.0
    cpe:2.3:a:bestpractical:request_tracker:4.2.0
  • Best Practical Request Tracker 4.2.1
    cpe:2.3:a:bestpractical:request_tracker:4.2.1
  • Best Practical Request Tracker 4.2.2
    cpe:2.3:a:bestpractical:request_tracker:4.2.2
  • Best Practical Request Tracker 4.2.3
    cpe:2.3:a:bestpractical:request_tracker:4.2.3
  • Best Practical Request Tracker 4.2.4
    cpe:2.3:a:bestpractical:request_tracker:4.2.4
  • Best Practical Request Tracker 4.2.5
    cpe:2.3:a:bestpractical:request_tracker:4.2.5
  • Best Practical Request Tracker 4.2.6
    cpe:2.3:a:bestpractical:request_tracker:4.2.6
  • Best Practical Request Tracker 4.2.7
    cpe:2.3:a:bestpractical:request_tracker:4.2.7
  • Best Practical Request Tracker 4.2.8
    cpe:2.3:a:bestpractical:request_tracker:4.2.8
  • Best Practical Request Tracker 4.2.9
    cpe:2.3:a:bestpractical:request_tracker:4.2.9
  • Best Practical Request Tracker 4.2.10
    cpe:2.3:a:bestpractical:request_tracker:4.2.10
  • Best Practical Request Tracker 4.2.11
    cpe:2.3:a:bestpractical:request_tracker:4.2.11
  • Best Practical Request Tracker 4.2.12
    cpe:2.3:a:bestpractical:request_tracker:4.2.12
  • Best Practical Request Tracker 4.2.13
    cpe:2.3:a:bestpractical:request_tracker:4.2.13
  • Best Practical Request Tracker 4.4.1
    cpe:2.3:a:bestpractical:request_tracker:4.4.1
  • Best Practical Request Tracker 4.4.0
    cpe:2.3:a:bestpractical:request_tracker:4.4.0
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-361
CAPEC
  • Session Credential Falsification through Forging
    An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
  • Session Fixation
    The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_7A92E958520711E78D7C6805CA0B3D42.NASL
    description BestPractical reports : Please reference CVE/URL list for details
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 100827
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100827
    title FreeBSD : rt and dependent modules -- multiple security vulnerabilities (7a92e958-5207-11e7-8d7c-6805ca0b3d42)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3883.NASL
    description It was discovered that RT::Authen::ExternalAuth, an external authentication module for Request Tracker, is vulnerable to timing side-channel attacks for user passwords. Only ExternalAuth in DBI (database) mode is vulnerable.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100819
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100819
    title Debian DSA-3883-1 : rt-authen-externalauth - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-01CE69C6BF.NASL
    description Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 102182
    published 2017-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102182
    title Fedora 25 : rt (2017-01ce69c6bf)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-2B7C896551.NASL
    description Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 102383
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102383
    title Fedora 24 : rt (2017-2b7c896551)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3882.NASL
    description Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2016-6127 It was discovered that Request Tracker is vulnerable to a cross-site scripting (XSS) attack if an attacker uploads a malicious file with a certain content type. Installations which use the AlwaysDownloadAttachments config setting are unaffected by this flaw. The applied fix addresses all existant and future uploaded attachments. - CVE-2017-5361 It was discovered that Request Tracker is vulnerable to timing side-channel attacks for user passwords. - CVE-2017-5943 It was discovered that Request Tracker is prone to an information leak of cross-site request forgery (CSRF) verification tokens if a user is tricked into visiting a specially crafted URL by an attacker. - CVE-2017-5944 It was discovered that Request Tracker is prone to a remote code execution vulnerability in the dashboard subscription interface. A privileged attacker can take advantage of this flaw through carefully-crafted saved search names to cause unexpected code to be executed. The applied fix addresses all existant and future saved searches. Additionally to the above mentioned CVEs, this update workarounds CVE-2015-7686 in Email::Address which could induce a denial of service of Request Tracker itself.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100818
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100818
    title Debian DSA-3882-1 : request-tracker4 - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-987.NASL
    description Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-6127 It was discovered that Request Tracker is vulnerable to a cross-site scripting (XSS) attack if an attacker uploads a malicious file with a certain content type. Installations which use the AlwaysDownloadAttachments config setting are unaffected by this flaw. The applied fix addresses all existant and future uploaded attachments. CVE-2017-5361 It was discovered that Request Tracker is vulnerable to timing side-channel attacks for user passwords. CVE-2017-5943 It was discovered that Request Tracker is prone to an information leak of cross-site request forgery (CSRF) verification tokens if a user is tricked into visiting a specially crafted URL by an attacker. CVE-2017-5944 It was discovered that Request Tracker is prone to a remote code execution vulnerability in the dashboard subscription interface. A privileged attacker can take advantage of this flaw through carefully-crafted saved search names to cause unexpected code to be executed. The applied fix addresses all existant and future saved searches. Additionally to the above mentioned CVEs, this update works around CVE-2015-7686 in Email::Address which could induce a denial of service of Request Tracker itself. For Debian 7 'Wheezy', these problems have been fixed in version 4.0.7-5+deb7u5. We recommend that you upgrade your request-tracker4 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 100817
    published 2017-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100817
    title Debian DLA-987-1 : request-tracker4 security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-988.NASL
    description It was discovered that RT::Authen::ExternalAuth, an external authentication module for Request Tracker, is vulnerable to timing side-channel attacks for user passwords. Only ExternalAuth in DBI (database) mode is vulnerable. For Debian 7 'Wheezy', these problems have been fixed in version 0.10-4+deb7u1. We recommend that you upgrade your rt-authen-externalauth packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 100848
    published 2017-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100848
    title Debian DLA-988-1 : rt-authen-externalauth security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-475AED1BD1.NASL
    description Security fix for CVE-2016-6127 CVE-2017-5361 CVE-2017-5943 CVE-2017-5944 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 102184
    published 2017-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102184
    title Fedora 26 : rt (2017-475aed1bd1)
refmap via4
confirm https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016
debian
  • DSA-3882
  • DSA-3883
Last major update 03-07-2017 - 12:29
Published 03-07-2017 - 12:29
Last modified 07-07-2017 - 12:51
Back to Top