Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <18957144-3F90-4803-AA90-53D6900BDD80@sigma-star.at>
Date: Sat, 7 Sep 2024 12:54:44 +0200
From: David Gstir <david@...ma-star.at>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-45751: CHAP authentication bypass in user-space Linux target
 framework (tgt) up to v1.0.92

## Summary

The user-space iSCSI target daemon of the Linux target framework (tgt)  uses an insecure
random number generator to generate CHAP authentication callenges. This results in
predictable challenges which an attacker capable of recording network traffic between
iSCSI target and initiator can abuse to bypass CHAP authentication by replaying
previous responses.

- *Identifier:*                   sigma-star-sa-2024-001
- *Type of vulnerability (CWE):*  Use of cryptographically weak pseud-random
                                 number generator ([CWE-338](https://cwe.mitre.org/data/definitions/338.html))
- *Vendor:*                       -
- *Product/Software:*             [The Linux target framework (tgt)](https://github.com/fujita/tgt)
- *Affected versions:*            <= 1.0.92
- *Fixed versions:*               1.0.93
- *CVE ID:*                       CVE-2024-45751

## Affected Product and Vendor

> The Linux target framework (tgt) is a user space SCSI target framework that
> supports the iSCSI and iSER transport protocols and that supports multiple
> methods for accessing block storage. Tgt consists of user-space daemon and tools.

Source: https://github.com/fujita/tgt/blob/e393a80b02b8cb90709c75f9bd91542ea3a78d58/README.md

## Description

`tgt` supports CHAP for authenticating initiators. As defined in the [CHAP specification](https://datatracker.ietf.org/doc/html/rfc1994#section-2)
the target generates a random challenge and sends it to the initiator. `tgt` fails
to use a cryptographically secure random number generator for this. Instead it
simply uses the [`rand()`](https://man7.org/linux/man-pages/man3/srand.3.html) call without
setting a seed using `srand()` first. Thus the default seed (equivalent to `srand(1)`) will be used.
This results in a predictable sequence of numbers being returned by subsequent
calls to `rand()`.

Note that even though `tgt` generates a random length for each challenge,
this does not affect the predictability of challenges as these lengths will
also be generated using predictable output of `rand()`.

```c
static int chap_initiator_auth_create_challenge(struct iscsi_connection *conn)
{
	char *value, *p;
	char text[CHAP_CHALLENGE_MAX * 2 + 8];
	static int chap_id;
	int i;

	[...]

	/*
	 * FIXME: does a random challenge length provide any benefits security-
	 * wise, or should we rather always use the max. allowed length of
	 * 1024 for the (unencoded) challenge?
	 */
	conn->auth.chap.challenge_size = (rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2;

	conn->auth.chap.challenge = malloc(conn->auth.chap.challenge_size);
	if (!conn->auth.chap.challenge)
		return CHAP_TARGET_ERROR;

	p = text;
	strcpy(p, "0x");
	p += 2;
	for (i = 0; i < conn->auth.chap.challenge_size; i++) {
		conn->auth.chap.challenge[i] = rand();
		sprintf(p, "%.2hhx", conn->auth.chap.challenge[i]);
		p += 2;
	}
	text_key_add(conn, "CHAP_C",  text);

	return 0;
}
```

Source: https://github.com/fujita/tgt/blob/v1.0.92/usr/iscsi/chap.c#L333

## Impact

An attacker who is able to recording network traffic between iSCSI target
and initiator can apply a replay attack to bypass the CHAP authentication.
All the attacker has to do is wait for the server or the service to restart
and replay with a previously record CHAP session which fits into the sequence.

Having bypassed CHAP authentication, an attacker has full user privileges and
can modify the iSCSI target at will within that user privileges.

## Mitigation

We recommend replacing the pseudo-random number generator (`rand()`)  with
`getrandom()`as this will yield cryptographically secure pseudo-random numbers
fitting for CHAP challenges.

Version 1.0.93 contains this fix.

## Patches

- https://github.com/fujita/tgt/pull/67/commits/abd8e0d987ab56013d360077202bf2aca20a42dd (chap: Use proper entropy source)

## Disclosure Timeline

- 2024-09-03: Vulnerability disclosed to vendor
- 2024-09-04: Patch submitted to vendor and version 1.0.93 released by vendor
- 2024-09-07: Advisory published

## Credits

- Richard Weinberger ([sigma star gmbh](https://sigma-star.at)
- David Gstir ([sigma star gmbh](https://sigma-star.at)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.