usd-2018-0034 | Dropbear/2011.54 up to 2019.77

Advisory ID: usd-2018-0034
CVE-ID: CVE-2019-12953
Affected Product: Dropbear
Affected Version: 2011.54 up to 2019.77
Vulnerability Type: User Enumeration
Security Risk: Low
Vendor URL: https://matt.ucc.asn.au/dropbear/dropbear.html
Vendor Status: Fixed

Description

Description based on commit 6f6ef4834c792f7ccf2409080a6adaf44b8f0d51

Dropbear does not crypt the password if the username is invalid. By sending
a long password, it is possible to measure time difference and enumerate
valid/invalid usernames.

Proof of Concept (PoC)

Vulnerable code example:

svr-authpasswd.c

password = buf_getstring(ses.payload, &passwordlen);
if (valid_user) {
/* the first bytes of passwdcrypt are the salt */
passwdcrypt = ses.authstate.pw_passwd;
testcrypt = crypt(password, passwdcrypt);
}

Fix

Make sure that the different branches in the authentication process all require the same execution time in order to hinder timing attacks.

Timeline

  • 2018-10-19 Daniel Hoffmann discovered the bug
  • 2018-11-02 notification to matt@ucc.asn.au
  • 2018-11-04 received response stating to fix the vulnerability
  • 2018-11-05 the developer tried to mitigate the issue (commit 02ffdd09dc1941f7a924cde8db288fcd64987f59)
  • 2019-01-07 verified that exploit still works (commit cb945f9f670e95305c7c5cc5ff344d1f2707b602)
  • 2019-01-11 sent disclosure reminder
  • 2019-01-30 Security advisory released
  • 2019-03-23 vendor releases fixed version 2019.77 (commit 8b4f60a7a113f4e9ae801dea88606f2663728f03)

Credits

This security vulnerability was found by Daniel Hoffmann of usd AG.