Security Vulnerability Alert
25 views
Skip to first unread message
Luca Wehrstedt
Aug 29, 2018, 9:31:53 AM8/29/18
to Contest Management System (announcements)
A security vulnerability was brought to our attention. Any person with the ability to send requests to the ContestWebServer and with the knowledge of the secret key could remotely lead CWS to execute arbitrary code.
This stems from CWS’s use of the pickle library to decode the authentication cookie. Carefully crafted values can trick pickle into running user-provided code in an attempt to decode instances of custom classes, and thus it should not be used on untrusted data.
The attack is mitigated by the fact that the cookie value is only passed to pickle if it is accompanied by a valid cryptographic signature produced using the secret key. The secret key is supposed to be configured by the admins to a secure random value and the documentation warned about it, saying that failing to do so could allow impersonation (although, as it turns out, consequences were far worse). Therefore, this attack could only have been carried out if the secret key had not been changed from its default value (a warning in AWS nags admins if this is the case) or if it had been leaked.
Moreover, of course, limiting access to CWS (by putting it on a separate network or behind a firewall) would also have reduced the impact.
The issue has been fixed in version 1.3.2 and in the master branch, and we advise all our users to update to the latest version as soon as possible.
We thank Michele Lizzit for making us aware of the issue and, especially, for doing so through private communications, giving us time to fix it before disclosing it.
This stems from CWS’s use of the pickle library to decode the authentication cookie. Carefully crafted values can trick pickle into running user-provided code in an attempt to decode instances of custom classes, and thus it should not be used on untrusted data.
The attack is mitigated by the fact that the cookie value is only passed to pickle if it is accompanied by a valid cryptographic signature produced using the secret key. The secret key is supposed to be configured by the admins to a secure random value and the documentation warned about it, saying that failing to do so could allow impersonation (although, as it turns out, consequences were far worse). Therefore, this attack could only have been carried out if the secret key had not been changed from its default value (a warning in AWS nags admins if this is the case) or if it had been leaked.
Moreover, of course, limiting access to CWS (by putting it on a separate network or behind a firewall) would also have reduced the impact.
The issue has been fixed in version 1.3.2 and in the master branch, and we advise all our users to update to the latest version as soon as possible.
We thank Michele Lizzit for making us aware of the issue and, especially, for doing so through private communications, giving us time to fix it before disclosing it.
Reply all
Reply to author
Forward
0 new messages