oss-sec mailing list archives
RE: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth
From: "Christey, Steven M." <coley () mitre org>
Date: Wed, 24 Jul 2013 04:26:41 +0000
Donald Stufft said:
I don't think this really deserves a CVE. All versions of Django prior to 1.6 (unreleased) have allowed you to determine if a username existed or not via the login failure message, negating the need to do any sort of timing attack.
The simple existence of a timing issue does not automatically qualify something for a CVE. We have typically taken the approach that if there's a "policy" of a product in which the information is not regarded as sensitive - such as intended functionality - then this does not cross "privilege boundaries" and would not qualify for a CVE. For example, if users automatically get public profiles, then the username might not be private. If Django was intentionally providing this specific login failure details as a convenience to its users, then that forms a "policy" (which still might deserve its own CVE because Django admins might not want that). This is an interesting case, because the "legitimate functionality" (login error message infoleak) is itself (potentially) an issue. Is the login failure message hard-coded, or is it dependent on configuration? If there's a possible configuration that hides the cause of login failure such as a custom message, then the timing attack would still be a valid scenario for enumerating usernames under that otherwise-good configuration, and would get a CVE. Regardless, there probably needs to be a CVE for the login failure username enumeration before 1.6 (unless there already is one). There is still a (minor) question about whether a CVE is necessary for the timing discrepancy. When dealing with closely-related issues, another question is "if issue 1 is fixed, then would that automatically fix issue 2?" (This is effectively finding chains.) In this case, a fix for the login failure error message would not fix the timing discrepancy, so they are distinguishable issues, at the least. - Steve
Current thread:
- CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Salvatore Bonaccorso (Jul 22)
- Re: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Salvatore Bonaccorso (Jul 23)
- Re: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Henri Salo (Jul 23)
- Re: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Donald Stufft (Jul 23)
- RE: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Christey, Steven M. (Jul 23)
- Re: CVE Request: Django: Account enumeration through timing attack in password verification in django.contrib.auth Donald Stufft (Jul 23)