oss-sec mailing list archives
Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 4 Feb 2018 09:08:12 +0100
Hi MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a Django email backends for multiple ESPs: https://github.com/anymail/django-anymail/releases/tag/v1.2.1
Prevent timing attack on WEBHOOK_AUTHORIZATION secret If you are using Anymail's tracking webhooks, you should upgrade to this release, and you may want to rotate to a new WEBHOOK_AUTHORIZATION shared secret (see docs). You should definitely change your webhook auth if your logs indicate attempted exploit. More information Anymail's webhook validation was vulnerable to a timing attack. An attacker could have used this to obtain your WEBHOOK_AUTHORIZATION shared secret, potentially allowing them to post fabricated or malicious email tracking events to your app. There have not been any reports of attempted exploit. (The vulnerability was discovered through code review.) Attempts would be visible in HTTP logs as a very large number of 400 responses on Anymail's webhook urls (by default "/anymail/esp_name/tracking/"), and in Python error monitoring as a very large number of AnymailWebhookValidationFailure exceptions.
There is the upstream fix for v1.3 https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 and v1.2.1 https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b Regards, Salvatore
Current thread:
- Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret Salvatore Bonaccorso (Feb 04)