Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <18957144-3F90-4803-AA90-53D6900BDD80@sigma-star.at>
Date: Sat, 7 Sep 2024 12:54:44 +0200
From: David Gstir <david@...ma-star.at>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-45751: CHAP authentication bypass in user-space Linux target
 framework (tgt) up to v1.0.92

## Summary

The user-space iSCSI target daemon of the Linux target framework (tgt)  uses an insecure
random number generator to generate CHAP authentication callenges. This results in
predictable challenges which an attacker capable of recording network traffic between
iSCSI target and initiator can abuse to bypass CHAP authentication by replaying
previous responses.

- *Identifier:*                   sigma-star-sa-2024-001
- *Type of vulnerability (CWE):*  Use of cryptographically weak pseud-random
                                 number generator ([CWE-338](https://cwe.mitre.org/data/definitions/338.html))
- *Vendor:*                       -
- *Product/Software:*             [The Linux target framework (tgt)](https://github.com/fujita/tgt)
- *Affected versions:*            <= 1.0.92
- *Fixed versions:*               1.0.93
- *CVE ID:*                       CVE-2024-45751

## Affected Product and Vendor

> The Linux target framework (tgt) is a user space SCSI target framework that
> supports the iSCSI and iSER transport protocols and that supports multiple
> methods for accessing block storage. Tgt consists of user-space daemon and tools.

Source: https://github.com/fujita/tgt/blob/e393a80b02b8cb90709c75f9bd91542ea3a78d58/README.md

## Description

`tgt` supports CHAP for authenticating initiators. As defined in the [CHAP specification](https://datatracker.ietf.org/doc/html/rfc1994#section-2)
the target generates a random challenge and sends it to the initiator. `tgt` fails
to use a cryptographically secure random number generator for this. Instead it
simply uses the [`rand()`](https://man7.org/linux/man-pages/man3/srand.3.html) call without
setting a seed using `srand()` first. Thus the default seed (equivalent to `srand(1)`) will be used.
This results in a predictable sequence of numbers being returned by subsequent
calls to `rand()`.

Note that even though `tgt` generates a random length for each challenge,
this does not affect the predictability of challenges as these lengths will
also be generated using predictable output of `rand()`.

```c
static int chap_initiator_auth_create_challenge(struct iscsi_connection *conn)
{
	char *value, *p;
	char text[CHAP_CHALLENGE_MAX * 2 + 8];
	static int chap_id;
	int i;

	[...]

	/*
	 * FIXME: does a random challenge length provide any benefits security-
	 * wise, or should we rather always use the max. allowed length of
	 * 1024 for the (unencoded) challenge?
	 */
	conn->auth.chap.challenge_size = (rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2;

	conn->auth.chap.challenge = malloc(conn->auth.chap.challenge_size);
	if (!conn->auth.chap.challenge)
		return CHAP_TARGET_ERROR;

	p = text;
	strcpy(p, "0x");
	p += 2;
	for (i = 0; i < conn->auth.chap.challenge_size; i++) {
		conn->auth.chap.challenge[i] = rand();
		sprintf(p, "%.2hhx", conn->auth.chap.challenge[i]);
		p += 2;
	}
	text_key_add(conn, "CHAP_C",  text);

	return 0;
}
```

Source: https://github.com/fujita/tgt/blob/v1.0.92/usr/iscsi/chap.c#L333

## Impact

An attacker who is able to recording network traffic between iSCSI target
and initiator can apply a replay attack to bypass the CHAP authentication.
All the attacker has to do is wait for the server or the service to restart
and replay with a previously record CHAP session which fits into the sequence.

Having bypassed CHAP authentication, an attacker has full user privileges and
can modify the iSCSI target at will within that user privileges.

## Mitigation

We recommend replacing the pseudo-random number generator (`rand()`)  with
`getrandom()`as this will yield cryptographically secure pseudo-random numbers
fitting for CHAP challenges.

Version 1.0.93 contains this fix.

## Patches

- https://github.com/fujita/tgt/pull/67/commits/abd8e0d987ab56013d360077202bf2aca20a42dd (chap: Use proper entropy source)

## Disclosure Timeline

- 2024-09-03: Vulnerability disclosed to vendor
- 2024-09-04: Patch submitted to vendor and version 1.0.93 released by vendor
- 2024-09-07: Advisory published

## Credits

- Richard Weinberger ([sigma star gmbh](https://sigma-star.at)
- David Gstir ([sigma star gmbh](https://sigma-star.at)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.