[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    RE: [oss-security] CVE Request: Django: Account enumeration through timing attack in password verifi
From:       "Christey, Steven M." <coley () mitre ! org>
Date:       2013-07-24 4:26:41
Message-ID: FC72FC641B949240B947AC6F1F83FBAF26F9CFE2 () IMCMBX01 ! MITRE ! ORG
[Download RAW message or body]

Donald Stufft said:

>I don't think this really deserves a CVE. All versions of Django prior to
>1.6 (unreleased) have allowed you to determine if a username existed
>or not via the login failure message, negating the need to do any sort
>of timing attack.

The simple existence of a timing issue does not automatically qualify somet=
hing for a CVE.  We have typically taken the approach that if there's a "po=
licy" of a product in which the information is not regarded as sensitive - =
such as intended functionality - then this does not cross "privilege bounda=
ries" and would not qualify for a CVE.  For example, if users automatically=
 get public profiles, then the username might not be private.  If Django wa=
s intentionally providing this specific login failure details as a convenie=
nce to its users, then that forms a "policy" (which still might deserve its=
 own CVE because Django admins might not want that).

This is an interesting case, because the "legitimate functionality" (login =
error message infoleak) is itself (potentially) an issue.

Is the login failure message hard-coded, or is it dependent on configuratio=
n?  If there's a possible configuration that hides the cause of login failu=
re such as a custom message, then the timing attack would still be a valid =
scenario for enumerating usernames under that otherwise-good configuration,=
 and would get a CVE.

Regardless, there probably needs to be a CVE for the login failure username=
 enumeration before 1.6 (unless there already is one).

There is still a (minor) question about whether a CVE is necessary for the =
timing discrepancy.  When dealing with closely-related issues, another ques=
tion is "if issue 1 is fixed, then would that automatically fix issue 2?"  =
(This is effectively finding chains.)  In this case, a fix for the login fa=
ilure error message would not fix the timing discrepancy, so they are disti=
nguishable issues, at the least.

- Steve

[prev in list] [next in list] [prev in thread] [next in thread]