MyFaces Core
  1. MyFaces Core
  2. MYFACES-2934

Side-channel timing attack in StateUtils class may still allow padding oracle attack

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.2.9
    • Fix Version/s: 1.1.9, 1.2.10, 2.0.3
    • Component/s: None
    • Labels:
      None
    • Environment:
      All using MyFaces 1.2.9

      Description

      FYI: I'm the person who fixed the padding oracle attack in ESAPI 2.0-rc# crypto which is why I spotted this.

      I did a quick code inspection of encrypt() / decrypt() methods in org.apache.myfaces.shared_impl.util.StateUtils as it relates to the fix for MYFACES-2749. Most everything is done correct (MAC is over IV+ciphertext and checked before decryption), but I noticed a subtle flaw that, at least in theory (or enough data gathering and statistical analysis), that opens a side-channel timing attack that might be still be used as a oracle in a padded oracle attack such as described by Duong and Rizzo.

      The problem is in the 'for' loop at lines 471-478 in StateUtils.java. You need to compare ALWAYS compare ALL the bytes in the MAC to ensure a timing side-channel attack cannot be used to as an oracle in the padding oracle attack.

      Contact me at kevin.w.wall@gmail.com if you need more info or want to see how it was fixed in OWASP ESAPI.

        Activity

        Kevin W. Wall created issue -
        Leonardo Uribe made changes -
        Field Original Value New Value
        Priority Major [ 3 ] Minor [ 4 ]
        Leonardo Uribe made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Leonardo Uribe [ lu4242 ]
        Fix Version/s 1.1.9-SNAPSHOT [ 12315116 ]
        Fix Version/s 1.2.10-SNAPSHOT [ 12315114 ]
        Fix Version/s 2.0.3-SNAPSHOT [ 12315349 ]
        Resolution Fixed [ 1 ]
        Leonardo Uribe made changes -
        Fix Version/s 1.1.10 [ 12315979 ]
        Fix Version/s 1.2.10 [ 12315978 ]
        Fix Version/s 2.0.3 [ 12315976 ]
        Fix Version/s 1.2.10-SNAPSHOT [ 12315114 ]
        Fix Version/s 1.1.9-SNAPSHOT [ 12315116 ]
        Fix Version/s 2.0.3-SNAPSHOT [ 12315349 ]
        Leonardo Uribe made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Leonardo Uribe made changes -
        Fix Version/s 1.1.9 [ 12316154 ]
        Fix Version/s 1.1.10 [ 12315979 ]

          People

          • Assignee:
            Leonardo Uribe
            Reporter:
            Kevin W. Wall
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 48h
              48h
              Remaining:
              Remaining Estimate - 48h
              48h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development