Timing Weakness in Ruby on Rails
Posted by michael September 04, 2009 @ 05:47 AM
There is a weakness in the code Ruby on Rails uses to verify message digests in the cookie store. Because it uses a non-constant time algorithm to verify the signatures an attacker may be able to determine when a forged signature is partially correct. By repeating this process they may be able to successfully forge a digest.
Versions Affected: 2.1.0 and *all* subsequent versions. Fixed Versions: 2.3.4, 2.2.3
Impact
Due to issues like network latency, non-deterministic GC runs and other issues it is unlikely that this attack could be exploited in the wild within a reasonable timeframe. However users should still upgrade as soon as possible to remove the weakness.
Releases
The 2.3.4 and 2.2.3 releases will be made available shortly and will contain fixes for this issue amongst others.
Patches
In order to provide the fixes for users who are running unsupported releases, or are unable to upgrade at present we have provided patches against all affected stable release branches.
The patches are in a format suitable for git-am and consist a single changeset which implements
Credits
Thanks to Coda Hale for reporting the bug to us, and helping us with the fixes.
Even if theorically speaking this could be exploited, in real situation (=network, loaded server, load balancer, ...) this is pratically impossible to reliably detect submicrosecond response time variation that could make it exploitable.
Not sure it deserves a security alert on its own compared to the XSS security hole.
It has been shown through research that it is applicable to web applications as well, given enough time to build a large enough set of requests.
This is not a problem for your average site, nobody is going to spend the time required to make it work. But consider the impact for big business sites with huge assets behind their accounts.