Executive Summary

This vulnerability exists in the OpenFUN Richie LMS application, specifically in the function sync_course_run_from_request within the src/richie/apps/courses/api.py file. The issue arises because the application uses a non-constant time equality operator (==) to verify HMAC signatures. This comparison method allows remote attackers to perform timing attacks by measuring response time differences, enabling them to forge valid signatures and bypass authentication.

The vulnerability is due to the fact that the standard equality check short-circuits on the first mismatching character, leaking information about the signature through timing discrepancies. The fix involves replacing this with a constant-time comparison function, hmac.compare_digest, which prevents attackers from inferring valid signatures based on timing.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows an unauthenticated remote attacker to forge valid HMAC signatures and bypass authentication on the Richie LMS webhook endpoint.

• Inject arbitrary course run data into the system.
• Manipulate public course pages.
• Corrupt the search index and cache.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the webhook endpoint `sync_course_runs_from_request` for unusual or suspicious requests attempting to exploit timing differences in the HMAC signature verification.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves timing attacks on the Authorization header, one way to detect exploitation attempts is to analyze logs for repeated requests with varying Authorization headers that may be probing for timing discrepancies.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or log analysis commands to identify such patterns. For example, using grep to filter logs for the webhook endpoint and Authorization headers:'}, {'type': 'list_item', 'content': "grep 'sync_course_runs_from_request' /path/to/access.log | grep 'Authorization'"}, {'type': 'paragraph', 'content': 'Additionally, you can use tools like tcpdump or Wireshark to capture and analyze HTTP requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': "tcpdump -i any -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Authorization'"}, {'type': 'paragraph', 'content': 'However, there are no specific built-in commands or automated detection scripts provided in the resources.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to update the Richie LMS application to the fixed version that replaces the vulnerable non-constant time equality check with a constant-time comparison using Python's `hmac.compare_digest`."}, {'type': 'paragraph', 'content': 'Specifically, ensure that the code in `src/richie/apps/courses/api.py` uses `hmac.compare_digest` to verify HMAC signatures in the `sync_course_runs_from_request` function.'}, {'type': 'paragraph', 'content': 'This fix prevents timing attacks by making the signature comparison execute in constant time regardless of input.'}, {'type': 'paragraph', 'content': 'If immediate patching is not possible, consider restricting access to the webhook endpoint to trusted IP addresses or networks to reduce the risk of remote exploitation.'}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious activity targeting the webhook endpoint and revoke or rotate any secrets used in `RICHIE_COURSE_RUN_SYNC_SECRETS` if compromise is suspected.'}] [1, 2]

Useful 0 Not Useful 0