Thursday, January 17, 2019

[CVE-2018-1000814] Session reuse on aiohttp-session prior to 2.7.0

On Oct 08 2018 a session reuse vulnerability was discovered (and disclosed in aiohttp-session#325) in aiohttp-session that falls under CWE-287 (Improper Authentication) and is caused by the library's reliance on Storage technology for data expiration.

Due to this reliance storage backends with inherent expiry like Redis or Memcached were not vulnerable. On backends that solely rely on cookie storage for information storage, like EncryptedCookieStorage and NaClCookieStorage, however it is possible for a malicious client to re-create a cookie with the same session data. This effectively provides infinite lifetime sessions, thus defeating the purpose of session expiry which is to minimize the attack window on the most vulnerable part of an application's authentication, that is the session transfer.

On Oct 13 2018 the vulnerability was patched with aiohttp-session#331 and aiohttp-session v2.7.0 was released.

Finally on Dec 20 2018 this vulnerability was assigned CVE-2018-1000814.

Side effects

The applied patch of #331 does have some side effects. The patch breaks an implicit behavior of the library to create 'idle sessions'. So if you are not using one of the vulnerable backends and are utilizing aiohttp-session for idle sessions your best bet is to freeze your dependencies to aiohttp-session==2.6.0 until a fix is released.

Other references


1 comment:

  1. Browse an unrivalled portfolio of real-time and historic market information and insights from worldwide sources and experts. Access unmatched financial information, news and content material in a highly-customised workflow expertise on desktop, net and cellular. Reuters, the news and media division of Thomson Reuters, is the world’s largest multimedia news provider, Heated Blanket reaching billions of individuals worldwide every day. Reuters provides enterprise, financial, national and worldwide news to professionals through desktop terminals, the world's media organizations, trade events and on to shoppers. The $1.8 trillion tech bellwether is a prime vacation spot for productivity-enhancing software spending. Yet even a company with its depth and breadth can not escape chillier economic headwinds.