A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.
Find out more about CVE-2015-7576 from the MITRE CVE dictionary dictionary and NIST NVD.
Base Score | 4.3 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-ror41-rubygem-actionpack) | RHSA-2016:0296 | 2016-02-24 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (ruby193-rubygem-actionpack) | RHSA-2016:0455 | 2016-03-15 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (ror40-rubygem-actionpack) | RHSA-2016:0454 | 2016-03-15 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-ror41-rubygem-actionpack) | RHSA-2016:0296 | 2016-02-24 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (ror40-rubygem-actionpack) | RHSA-2016:0454 | 2016-03-15 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (ruby193-rubygem-actionpack) | RHSA-2016:0455 | 2016-03-15 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | ruby193-rubygem-actionpack | Will not fix |
Red Hat Subscription Asset Manager 1 | rubygem-actionpack | Will not fix |
Use following code to monkey-patch http_basic_authenticate_with method in ActionController:
module ActiveSupport
module SecurityUtils
def secure_compare(a, b)
return false unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
module_function :secure_compare
def variable_size_secure_compare(a, b)
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
end
module_function :variable_size_secure_compare
end
end
module ActionController
class Base
def self.http_basic_authenticate_with(options = {})
before_action(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
# This comparison uses & so that it doesn't short circuit and
# uses `variable_size_secure_compare` so that length information
# isn't leaked.
ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end
end
end