Ayrx's Blog

CVE-2018-8023: Timing attack on the JWT implementation of Apache Mesos

- (2 min read)

A flaw in the JWT implementation of Apache Mesos resulted in a timing attack vulnerability.

Affected Versions

Apache Mesos 1.4.0 to 1.6.0 are affected. The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

Description

Apache Mesos can be configured to require authentication to call the Executor HTTP API. This is done by running the Mesos Agent with the --authenticate_http_executors flag. By default, this authentication mechanism utilizes JSON Web Token (JWT).

The JWT is eventually validated at 3rdparty/libprocess/src/jwt.cpp with the function JWT::parse(const string& token, const string& secret).

The following snippet of code contains the vulnerability:

248  const bool valid = hmac.get() == signature.get();
249
250  if (!valid) {
251    return JWTError(
252        "Token signature does not match",
253        JWTError::Type::INVALID_TOKEN);
254  }
255
256  return JWT(header.get(), payload.get(), signature.get());

The vulnerability lies in the comparison of the generated HMAC value against the provided signature. As the == operator in C++ is not constant-time, an attacker is able to abuse the timing difference of when this function returns to reveal the correct HMAC value. The blog post "A Lesson In Timing Attacks (or, Don't use MessageDigest.isEquals)" from Coda Hale has more details about exploiting such vulnerabilities.

By exploiting this vulnerability, an attacker can learn the expected HMAC value and bypass the authentication checks of the Executor HTTP API.

Mitigation

Apache Mesos user's should be upgraded to a patched version. The following is the official recommendation from the Apache Mesos team.

pre-1.4.x users should upgrade to at least 1.4.2
1.4.x users should upgrade to 1.4.2
1.5.x users should upgrade to 1.5.2
1.6.0 users should upgrade to 1.6.1
1.7.0-dev users should obtain Mesos 1.7.0

Credits

This issue was discovered by Ayrx.

Timeline

  • 11 May 2018 - Vulnerability discovered.
  • 11 May 2018 - Vulnerability reported to the vendor.
  • 29 May 2018 - Vulnerability acknowledged by vendor.
  • 30 May 2018 - Vulnerability fixed by vendor in commit 2c282f1. CVE-2018-8023 assigned.
  • 21 Sep 2018 - Vulnerability made public and sent to oss-security.