Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

Affected pluginWPMU Defender
Active installs70,000+
Vulnerable version<= 3.3.0
Audited version3.2.0
Fully patched version
Recommended remediationRemoval of the plugin

Description


The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

Proof of concept


Validation of 2FA emergency codes sent per email:

public function validate_authentication( $user ) {
 $otp         = HTTP::post( 'otp' );
 $backup_code = get_user_meta( $user->ID, 'defenderBackupCode', true );
 if ( ! empty( $backup_code ) && $backup_code['code'] === $otp && strtotime(
   '+3 minutes',
   $backup_code['time']
  ) > time() ) {
  delete_user_meta( $user->ID, 'defenderBackupCode' );
  return true;
 } else {
  return new \WP_Error( 'opt_fail', __( 'ERROR: Invalid passcode.', 'wpdef' ) );
 }
}

Passing secrets into a MySQL where clause will introduce a side-channel-attack

$query = new \WP_User_Query( [
   'blog_id' => 0,
   'meta_key' => 'defender_two_fa_token',
   'meta_value' => $login_token
] );

*As an aside, the above query will be very resource intensive since the “meta_value” column in “wp_usermeta” does not have an index.

Proposed patch


Exclusively use hash_equals to compare secrets.

Timeline


Vendor contactedSeptember 07, 2022
First ResponseSeptember 08, 2022
Fully patched at
Publicly disclosedApril 24, 2023

Miscellaneous


Leave a Reply

Your email address will not be published. Required fields are marked *