Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 4 Feb 2018 09:08:12 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: Anymail: CVE-2018-6596: timing attack on WEBHOOK_AUTHORIZATION secret

Hi

MITRE has assigned CVE-2018-6596 for the following issue in Anymail, a
Django email backends for multiple ESPs:

https://github.com/anymail/django-anymail/releases/tag/v1.2.1
> Prevent timing attack on WEBHOOK_AUTHORIZATION secret
> 
> If you are using Anymail's tracking webhooks, you should upgrade to
> this release, and you may want to rotate to a new
> WEBHOOK_AUTHORIZATION shared secret (see docs). You should
> definitely change your webhook auth if your logs indicate attempted
> exploit.
> 
> More information
> 
> Anymail's webhook validation was vulnerable to a timing attack. An
> attacker could have used this to obtain your WEBHOOK_AUTHORIZATION
> shared secret, potentially allowing them to post fabricated or
> malicious email tracking events to your app.
> 
> There have not been any reports of attempted exploit. (The
> vulnerability was discovered through code review.) Attempts would be
> visible in HTTP logs as a very large number of 400 responses on
> Anymail's webhook urls (by default "/anymail/esp_name/tracking/"),
> and in Python error monitoring as a very large number of
> AnymailWebhookValidationFailure exceptions.

There is the upstream fix for v1.3
https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5
and v1.2.1
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.