oss-sec mailing list archives
[CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack
From: Aaron Patterson <aaron.patterson () gmail com>
Date: Wed, 18 Dec 2019 10:16:02 -0800
There is a possible information leak / session hijacking vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2019-16782. Versions Affected: All. Not affected: None. Fixed Versions: 1.6.12, 2.0.8 There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. Impact ------ The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. Releases -------- The 1.6.12 and 2.0.8 releases are available at the normal locations. Workarounds ----------- There are no known workarounds. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. 1-6-session-timing-attack.patch - Patch for 1.6 series 2-0-session-timing-attack.patch - Patch for 2.6 series Credits ------- Thanks Will Leinweber for reporting this! -- Aaron Patterson http://tenderlovemaking.com/
Attachment:
1-6-session-timing-attack.patch
Description:
Attachment:
2-0-session-timing-attack.patch
Description:
Attachment:
signature.asc
Description:
Current thread:
- [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Aaron Patterson (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Stuart D. Gathman (Dec 19)
- Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack Alexander E. Patrakov (Dec 18)