Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 4 Feb 2018 09:08:12 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret

Hi

MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a
Django email backends for multiple ESPs:

https://github.com/anymail/django-anymail/releases/tag/v1.2.1
> Prevent timing attack on WEBHOOK_AUTHORIZATION secret
> 
> If you are using Anymail's tracking webhooks, you should upgrade to
> this release, and you may want to rotate to a new
> WEBHOOK_AUTHORIZATION shared secret (see docs). You should
> definitely change your webhook auth if your logs indicate attempted
> exploit.
> 
> More information
> 
> Anymail's webhook validation was vulnerable to a timing attack. An
> attacker could have used this to obtain your WEBHOOK_AUTHORIZATION
> shared secret, potentially allowing them to post fabricated or
> malicious email tracking events to your app.
> 
> There have not been any reports of attempted exploit. (The
> vulnerability was discovered through code review.) Attempts would be
> visible in HTTP logs as a very large number of 400 responses on
> Anymail's webhook urls (by default "/anymail/esp_name/tracking/"),
> and in Python error monitoring as a very large number of
> AnymailWebhookValidationFailure exceptions.

There is the upstream fix for v1.3
https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5
and v1.2.1
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ