April 24, 2023

Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

Calvin Alkan

| in

Affected plugin	WPMU Defender
Active installs	70,000+
Vulnerable version	<= 3.3.0
Audited version	3.2.0
Fully patched version	–
Recommended remediation	Removal of the plugin

Description

The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.
A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.

Proof of concept

Validation of 2FA emergency codes sent per email:

public function validate_authentication( $user ) {
 $otp         = HTTP::post( 'otp' );
 $backup_code = get_user_meta( $user->ID, 'defenderBackupCode', true );
 if ( ! empty( $backup_code ) && $backup_code['code'] === $otp && strtotime(
   '+3 minutes',
   $backup_code['time']
  ) > time() ) {
  delete_user_meta( $user->ID, 'defenderBackupCode' );
  return true;
 } else {
  return new \WP_Error( 'opt_fail', __( 'ERROR: Invalid passcode.', 'wpdef' ) );
 }
}

Passing secrets into a MySQL where clause will introduce a side-channel-attack

$query = new \WP_User_Query( [
   'blog_id' => 0,
   'meta_key' => 'defender_two_fa_token',
   'meta_value' => $login_token
] );

*As an aside, the above query will be very resource intensive since the “meta_value” column in “wp_usermeta” does not have an index.

Proposed patch

Exclusively use hash_equals to compare secrets.

Timeline

Vendor contacted	September 07, 2022
First Response	September 08, 2022
Fully patched at	–
Publicly disclosed	April 24, 2023

snicco

Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

Description

Proof of concept

Proposed patch

Timeline

Miscellaneous

Leave a Reply Cancel reply