Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#1254 closed defect (wontfix)

nginx leaks Basic Auth password through timing side channel when {PLAIN} method is used

Reported by: Leon Klingele Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.11.x
Keywords: security, timing, side, channel Cc:
uname -a: -
nginx -V: nginx version: nginx/1.12.0
built by gcc 4.9.2 (Debian 4.9.2-10)
built with LibreSSL 2.5.3
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=%{_libdir}/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6 --with-openssl=submodules/libressl --with-pcre=submodules/pcre --with-pcre-jit

Description

When using a {PLAIN} password inside the auth_basic_user_file file (e.g. admin:{PLAIN}myplaintextpassword), nginx leaks this cleartext password through a timing side channel.

Call stack:

  1. https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/http/modules/ngx_http_auth_basic_module.c#L297
  2. https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/core/ngx_crypt.c#L36
  3. https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/core/ngx_crypt.c#L167-L184
  4. https://github.com/nginx/nginx/blob/beaaeb9f9e642d1d153ee65569d99499eef624e9/src/http/modules/ngx_http_auth_basic_module.c#L305

ngx_strcmp is defined via

#define ngx_strcmp(s1, s2)  strcmp((const char *) s1, (const char *) s2)

and thus not timing-resistant.
Please switch to a constant time algorithm, e.g.

unsigned char result = 0;
size_t i = 0;
for (i = 0; i < maxlen; i++) {
	result |= buf1[i] ^ buf2[i];
}
// Free buffers
return result == 0;

Change History (4)

comment:1 by Leon Klingele, 3 years ago

Your issue tracker is broken. I explicitly checked the "Sensitive" checkbox but the issue is still public.

comment:2 by Ruslan Ermilov, 3 years ago

Resolution: wontfix
Status: newclosed

Quote from the docs (http://nginx.org/r/auth_basic_user_file):

currently implemented schemes include PLAIN (an example one, should not be used)

Last edited 3 years ago by Ruslan Ermilov (previous) (diff)

comment:3 by Maxim Dounin, 3 years ago

sensitive: 10

comment:4 by Leon Klingele, 3 years ago

Then why do you still support it / mention it in the docs? Using the PLAIN method is (well, should be) perfectly fine if it's used with a random, one-time password. The scheme has some advantages, especially for public staging servers. IMO that 'should not be used' note is no excuse for the non-constant timing implementation.

Note: See TracTickets for help on using tickets.