Bug 1708696 (CVE-2019-10136) - CVE-2019-10136 spacewalk: Insecure computation of authentication signatures during user authentication
Summary: CVE-2019-10136 spacewalk: Insecure computation of authentication signatures d...
Alias: CVE-2019-10136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=low,public=20190701,reported=2...
Depends On: 1710351
Blocks: 1702600
TreeView+ depends on / blocked
Reported: 2019-05-10 15:26 UTC by Cedric Buissart 🐶
Modified: 2019-07-12 13:07 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that Spacewalk did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum.
Clone Of:
Last Closed: 2019-07-12 13:07:08 UTC

Attachments (Terms of Use)
set field boundaries in signature token (408 bytes, patch)
2019-07-03 08:58 UTC, Cedric Buissart 🐶
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1661 None None None 2019-07-02 13:59:07 UTC

Description Cedric Buissart 🐶 2019-05-10 15:26:38 UTC
During user authentication, the hash input does not contain any length fields or field boundaries, so that the same hashes are computed e.g. for {server-time=1234, expire-offset=567} (end date 1801) and {server-time=1, expire-offset=234567} (end date 234568).

An attacker could use this flaw to reuse an expired token, and extend its expiry date.

Comment 1 Cedric Buissart 🐶 2019-05-10 15:26:40 UTC

Name: Malte Kraus (SUSE)

Comment 2 Cedric Buissart 🐶 2019-05-10 15:35:02 UTC
in server/apacheAuth.py :
139 def auth_client():
165     clientId = token['x-rhn-server-id']
166     username = token['x-rhn-auth-user-id']
167     signature = token['x-rhn-auth']
168     rhnServerTime = token['x-rhn-auth-server-time']
169     expireOffset = token['x-rhn-auth-expire-offset']
172     computed = computeSignature(CFG.SECRET_KEY, clientId, username,
173                                 rhnServerTime, expireOffset)

There's no separator between the entries : an attacker could capture a regular token, then shift any field's digits to its neighbors, without modifying the signature, ending up in an extended life.
Mainly :
1) It is not uncommon for the username of be empty, so the cliendId's digits can be migrated to Server Time, possibly giving you a long term token at the cost of the server ID
2) rhnServerTime is a float with 2 digits following the '.' : you can migrate these 2 digits to the expire offset to multiply the validity of the token (i.e.: Server time will remain almost the same, but expire will be possibly greatly extended)

Comment 7 errata-xmlrpc 2019-07-02 13:59:06 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2019:1661 https://access.redhat.com/errata/RHSA-2019:1661

Comment 8 Cedric Buissart 🐶 2019-07-03 08:58:55 UTC
Created attachment 1586993 [details]
set field boundaries in signature token

Comment 9 Product Security DevOps Team 2019-07-12 13:07:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.