CVE-2023-46739

Timing attack can leak user passwords

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading.

CubeFS es un sistema de almacenamiento de archivos nativo de la nube de código abierto. Se encontró una vulnerabilidad en el componente maestro de CubeFS en versiones anteriores a la 3.3.1 que podría permitir a un atacante no confiable robar contraseñas de usuario mediante la realización de un ataque de sincronización. El caso raíz de la vulnerabilidad fue que CubeFS utilizó una comparación de contraseñas sin formato. La parte vulnerable de CubeFS era el UserService del componente maestro. Se crea una instancia de UserService al iniciar el servidor del componente maestro. El problema se solucionó en la versión 3.3.1. Para los usuarios afectados, no hay otra forma de mitigar el problema además de actualizar.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-10-25 CVE Reserved
2024-01-03 CVE Published
2024-01-11 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-203: Observable Discrepancy

CAPEC

References (2)

URL	Tag	Source
https://github.com/cubefs/cubefs/security/advisories/GHSA-8579-7p32-f398	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/cubefs/cubefs/commit/6a0d5fa45a77ff20c752fa9e44738bf5d86c84bd	2024-01-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Cubefs Search vendor "Linuxfoundation" for product "Cubefs"				< 3.3.1 Search vendor "Linuxfoundation" for product "Cubefs" and version " < 3.3.1"		-		Affected