Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 478286 (CVE-2013-4165) - net-p2p/bitcoind: Timing leak (CVE-2013-4165)
Summary: net-p2p/bitcoind: Timing leak (CVE-2013-4165)
Status: RESOLVED FIXED
Alias: CVE-2013-4165
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/bitcoin/bitcoin/is...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-26 20:02 UTC by Agostino Sarubbo
Modified: 2013-10-09 03:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-07-26 20:02:40 UTC
From ${URL} :

bool HTTPAuthorized(map<string, string>& mapHeaders)
{
    string strAuth = mapHeaders["authorization"];
    if (strAuth.substr(0,6) != "Basic ")
        return false;
    string strUserPass64 = strAuth.substr(6); boost::trim(strUserPass64);
    string strUserPass = DecodeBase64(strUserPass64);
    return strUserPass == strRPCUserColonPass;
}
Last string comparision strUserPass == strRPCUserColonPass gets compiled to:

    do
    {
      if ( !len )
        break;
      less = *(_BYTE *)strUserPass < *(_BYTE *)strRPCUserColonPass;
      eq = *(_BYTE *)strUserPass++ == *(_BYTE *)strRPCUserColonPass++;
      --len;
    }
    while ( eq );
which is a byte-by-byte compare. Attacker with precise clock (being in the same LAN, for example) might learn the RPC password letter by letter, by trying passwords like 
'a...", "b...", "c..." and observing which took the longest time to verify.

This code in bitcoinrpc.cpp:

            if (mapArgs["-rpcpassword"].size() < 20)
                MilliSleep(250);
protects from bruteforce for short password. Unfortunately, when run, bitcoind suggest a 32 chars password. Paradoxically short passwords are safer to use than longer ones, 
wrt to the timing leak.

Here's an example of time independent array comparison: http://rdist.root.org/2010/01/07/timing-independent-array-comparison/


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:55:18 UTC
CVE-2013-4165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4165):
  The HTTPAuthorized function in bitcoinrpc.cpp in bitcoind 0.8.1 provides
  information about authentication failure upon detecting the first incorrect
  byte of a password, which makes it easier for remote attackers to determine
  passwords via a timing side-channel attack.
Comment 2 Luke-Jr 2013-08-29 16:22:40 UTC
Not a real concern, as RPC is not exposed to any untrusted interfaces (the options exist, but it is not recommended or supported).
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-09 03:29:49 UTC
Closing fixed, 0.8.5 has been stabilized in the meantime.