Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible Basic Auth Timing Attack in RPC server via nimiq_jsonrpc_server #2452

Closed
jsdanielh opened this issue May 9, 2024 · 0 comments · Fixed by #2486
Closed

Possible Basic Auth Timing Attack in RPC server via nimiq_jsonrpc_server #2452

jsdanielh opened this issue May 9, 2024 · 0 comments · Fixed by #2486
Assignees
@hrxi
Labels
HackerOne
Milestone
Nimiq PoS Mainnet

Comments

@jsdanielh
Copy link
Contributor

Link: https://hackerone.com/reports/2491447
Date: 2024-05-06 07:18:39 UTC
By: ryanrb
Weakness: Information Exposure Through Timing Discrepancy

Details:

Summary

Similar to #2447113, the basic auth implementation used in lib/src/extras/rpc_server.rs leverages nimiq_jsonrpc_server, which does a simplistic string comparison of passwords.

Project: core-rs-albatross
File reference: lib/src/extras/rpc_server.rs
Line: 67

use nimiq_jsonrpc_server::{AllowListDispatcher, Config, ModularDispatcher, Server as _Server};
// ...
pub type Server = _Server<AllowListDispatcher<ModularDispatcher>>;
//...

Ok(Server::new(
    Config {
        bind_to: (config.bind_to.unwrap_or_else(default_bind), config.port).into(),
        enable_websocket: false,
        ip_whitelist: None,
        basic_auth,
    },
    AllowListDispatcher::new(dispatcher, allowed_methods),
))

File reference: nimiq_jsonrpc_server:server/lib.rs (link)
Line: 180

if auth_header.0.username() == basic_auth.username
    && auth_header.0.password() == basic_auth.password

Recommendation

Use a time-safe comparison when it comes to the password check to avoid leaking information.

References:

Impact

The RPC server's basic auth password could potentially be compromised via timing analysis if the check in nimiq_jsonrpc_server is used as-is.
@hrxi hrxi self-assigned this May 15, 2024
@hrxi hrxi mentioned this issue May 20, 2024
Merged
hrxi added a commit that referenced this issue May 20, 2024
@hrxi
Make password comparisons constant-time
4edf409 
Do that by hashing the passwords using blake2b and then using `subtle`
to do a constant-time comparison.

Fixes #2452.
Fixes #2460.
hrxi added a commit that referenced this issue May 20, 2024
@hrxi
Make password comparisons constant-time
32bb179 
Do that by hashing the passwords using blake2b and then using `subtle`
to do a constant-time comparison.

Fixes #2452.
Fixes #2460.
@hrxi hrxi mentioned this issue May 20, 2024
Merged
@styppo styppo added this to the Nimiq PoS Mainnet milestone May 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hrxi hrxi

Labels
HackerOne
Projects
None yet
Milestone
Nimiq PoS Mainnet
Development

Successfully merging a pull request may close this issue.

Make password comparisons constant-time nimiq/core-rs-albatross
3 participants
@jsdanielh @styppo @hrxi