CIVI-SA-2021-06: Timing Attacks Against the Site Key

Opublikowane
2021-03-09 09:00
Written by

CiviCRM's REST API traditionally requires two keys, the "API Key" and the "Site Key". The "Site Key" could potentially be extracted by a "timing attack". In this scenario, an attacker would send many invalid requests, build a statistical profile, and infer the most likely value.

 

Security Risk
Critical
Vulnerability
Other
Affected Versions

CiviCRM versions 5.35.0 and earlier

Fixed Versions

CiviCRM version 5.35.1 and ESR version 5.33.3

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Alternatively, HTTP rate-limiting may mitigate or delay timing attacks. However, rate-limiting does not categorically prevent them.

Credits

Tim Otten of CiviCRM Core for reporting the issue

Tim Otten of CiviCRM Core Team and Rich Lott of Artfulrobot for fixing the issue

Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH for funding the fix

References

security/core#104