Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 24 Jul 2013 04:26:41 +0000
From: "Christey, Steven M." <coley@...re.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: "security@...ngoproject.com" <security@...ngoproject.com>, "Salvatore
 Bonaccorso" <carnil@...ian.org>, Henri Salo <henri@...v.fi>
Subject: RE: CVE Request: Django: Account enumeration through
 timing attack in password verification in django.contrib.auth

Donald Stufft said:

>I don't think this really deserves a CVE. All versions of Django prior to
>1.6 (unreleased) have allowed you to determine if a username existed
>or not via the login failure message, negating the need to do any sort
>of timing attack.

The simple existence of a timing issue does not automatically qualify something for a CVE.  We have typically taken the approach that if there's a "policy" of a product in which the information is not regarded as sensitive - such as intended functionality - then this does not cross "privilege boundaries" and would not qualify for a CVE.  For example, if users automatically get public profiles, then the username might not be private.  If Django was intentionally providing this specific login failure details as a convenience to its users, then that forms a "policy" (which still might deserve its own CVE because Django admins might not want that).

This is an interesting case, because the "legitimate functionality" (login error message infoleak) is itself (potentially) an issue.

Is the login failure message hard-coded, or is it dependent on configuration?  If there's a possible configuration that hides the cause of login failure such as a custom message, then the timing attack would still be a valid scenario for enumerating usernames under that otherwise-good configuration, and would get a CVE.

Regardless, there probably needs to be a CVE for the login failure username enumeration before 1.6 (unless there already is one).

There is still a (minor) question about whether a CVE is necessary for the timing discrepancy.  When dealing with closely-related issues, another question is "if issue 1 is fixed, then would that automatically fix issue 2?"  (This is effectively finding chains.)  In this case, a fix for the login failure error message would not fix the timing discrepancy, so they are distinguishable issues, at the least.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.