The following flaw was reported in the Xorg server: Summary and Impact ------------------ xorg-server/xorg-server-1.19.0/os/mitauth.c:79 uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which in theory could allow an efficient brute force attack[1]. Analysis -------- X41 was not able to measure a significant difference using the optimized memcmp() version of a standard Linux system, but for a naive implementation consisting of a loop comparing the bytes. Since timing attacks against memcmp() have been successful in the past [2] and fixed elsewhere [3][4] X41 would consider this an issue. If this would be exploited, it would allow a local attacker to run code in the Xorg session of another user. In order to prevent this, MIT-COOKIES should be removed or a memcmp() similar to timingsafe_memcmp()[5] used. Other projects (e.g. openssl) use timing safe memcmp() implementations to compare cookies retrieved via the network[6]. [1] https://cryptocoding.net/index.php/Coding_rules#Compare_secret_strings_in_constant_time [2] http://de.slideshare.net/cisoplatform7/defcon-22paulmcmillanattackingtheiotusingtimingattac [3] http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf [4] https://bugs.ruby-lang.org/issues/10098 [5] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/string/timingsafe_memcmp.c [6] https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L1249
Acknowledgments: Name: Eric Sesterhenn (X41 D-Sec GmbH)
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created xorg-x11-server tracking bugs for this issue: Affects: fedora-all [bug 1427559]
External References: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/