MyFaces Core
  1. MyFaces Core
  2. MYFACES-2934

Side-channel timing attack in StateUtils class may still allow padding oracle attack

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.2.9
    • Fix Version/s: 1.1.9, 1.2.10, 2.0.3
    • Component/s: None
    • Labels:
      None
    • Environment:
      All using MyFaces 1.2.9

      Description

      FYI: I'm the person who fixed the padding oracle attack in ESAPI 2.0-rc# crypto which is why I spotted this.

      I did a quick code inspection of encrypt() / decrypt() methods in org.apache.myfaces.shared_impl.util.StateUtils as it relates to the fix for MYFACES-2749. Most everything is done correct (MAC is over IV+ciphertext and checked before decryption), but I noticed a subtle flaw that, at least in theory (or enough data gathering and statistical analysis), that opens a side-channel timing attack that might be still be used as a oracle in a padded oracle attack such as described by Duong and Rizzo.

      The problem is in the 'for' loop at lines 471-478 in StateUtils.java. You need to compare ALWAYS compare ALL the bytes in the MAC to ensure a timing side-channel attack cannot be used to as an oracle in the padding oracle attack.

      Contact me at kevin.w.wall@gmail.com if you need more info or want to see how it was fixed in OWASP ESAPI.

        Activity

        Hide
        Leonardo Uribe added a comment -

        I have checked it and well, the probability to be succesful using that type of attack is very, very, very, very, very low, because the comparison done in this case takes very few time compared with other tasks done by myfaces itself on a single request.

        Anyway, I would like to know how to fix it, maybe replace the line "break" with "continue" should do the job. If that so, I can commit the code on all myfaces branches.

        Show
        Leonardo Uribe added a comment - I have checked it and well, the probability to be succesful using that type of attack is very, very, very, very, very low, because the comparison done in this case takes very few time compared with other tasks done by myfaces itself on a single request. Anyway, I would like to know how to fix it, maybe replace the line "break" with "continue" should do the job. If that so, I can commit the code on all myfaces branches.
        Hide
        Leonardo Uribe added a comment -

        I just removed the break, and left a message to prevent remove developers to remove that code.

        Thanks to Kevin W. Wall for this report.

        Show
        Leonardo Uribe added a comment - I just removed the break, and left a message to prevent remove developers to remove that code. Thanks to Kevin W. Wall for this report.

          People

          • Assignee:
            Leonardo Uribe
            Reporter:
            Kevin W. Wall
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 48h
              48h
              Remaining:
              Remaining Estimate - 48h
              48h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development