201703-01

Multiple timing side-channel issues

Background

A timing side-channel attack is a kind of side channel that reveals confidential or secret information by testing the amount of time taken by the vulnerable software to process an input, and infer in that way the secret by testing random inputs incrementally, one character at a time.

This kind of side channel is difficult to exploit but has been demonstrated to work, and is heavily dependant on the characteristics of the hardware running the vulnerable software, as well as the transmission medium (e.g. the network used by the attacker to send requests and measure the time taken to respond) and the execution context (e.g. the operating system).

Description

Two different timing side-channel attacks have been discovered in SimpleSAMLphp. Both cases are caused by a relaxed comparison of secret material against user input, using the standard comparison operator. This operator compares both input strings character by character, returning as soon as it spots a difference. Therefore, it takes a variable amount of time to compare two strings, depending on how long does it take to find a different character.

There are two known ways to effectively remove this kind of side channel. One consists on performing a comparison in constant time, no matter when the first difference is spotted. The other is a double HMAC comparison, consisting on the application of an HMAC function to both strings in the input, and comparing the resulting hashes. This solution works because one single change in the input makes its corresponding hash change completely due to the avalanche effect, and therefore there is no longer a relation between the change in the input and the amount of processing time taken to compare.

The first issue affects the SimpleSAML_Session class. An authentication token is used to prevent session fixation attacks, and such token, included in a cookie, is compared to a random string generated at authentication time and stored in the session itself. By monitoring the response time, an attacker may test different values of the authentication token until being able to guess the value stored in a given session. For this attack to succeed, though, the attacker needs access to a given valid session, and that implies the ability to mount a session fixation attack in the first place.

The second issue was found in the Htpasswd authentication source included in the authcrypt module. In this case, the relaxed comparison was used to compare a given password against the one stored, and therefore could lead to the original password being leaked to the attacker.

Both issues have been resolved by introducing the secureCompare() method in the SimpleSAML\Utils\Crypto class, which acts as a wrapper to the standard hash_equals() function when available (PHP >= 5.6), or performs the comparison manually in constant time when not.

Affected versions

All SimpleSAMLphp versions before and including 1.14.11.

Impact

The issue discovered in SimpleSAMLphp's session handling affects the validation of the authentication token, which could therefore be leaked to an attacker. Even though this attack is considered difficult to exploit, given the very nature of the network, which introduces timing variations usually much bigger than the ones that may be observed during the processing of a request by the server, it affects every single installation of SimpleSAMLphp, so it should be taken with caution. Fortunately, the mere possession of the authentication token does not guarantee being recognized as authenticated by SimpleSAMLphp, so an attacker must also perform a session fixation attack on the victim, which is difficult in this context.

Additionally, every installation of SimpleSAMLphp using the Htpasswd authentication source of the authcrypt module is also affected. In this case, it is the password of a given user that could be leaked by measuring the time taken to respond to an authentication attempt, and therefore the issue must be considered critical in this case.

Resolution

Upgrade to the latest version.