CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

Description

Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

Affected Versions

  • Apache Tapestry 5.3.6 through current releases.

Mitigation

No new release of Tapestry has occurred since the issue was reported. Affected organizations may want to consider locally applying commit d3928ad44714b949d247af2652c84dae3c27e1b1.

Timeline

  • 2019-03-12: Issue discovered.
  • 2019-03-13: Issue reported to security@apache.org.
  • 2019-03-29: Pinged thread to ask for update.
  • 2019-04-19: Fix committed.
  • 2019-04-23: Asked about release timeline, response “in the upcoming months”
  • 2019-05-28: Pinging again about release.
  • 2019-06-24: Asked again, asked for CVE number assigned. No update on timeline.
  • 2019-08-22: Disclosure posted.

Credit

This vulnerability was discovered by David Tomaschik of the Google Security Team.


Hacker Summer Camp 2019: CTFs for Fun & Profit

Okay, I’m back from Summer Camp and have caught up (slightly) on life. I had the privilege of giving a talk at BSidesLV entitled “CTFs for Fun and Profit: Playing Games to Build Your Skills.” I wanted to post a quick link to my slides and talk about the IoT CTF I had the chance to play.

I played in the IoT Village CTF at DEF CON, which was interesting because it uses real-world devices with real-world vulnerabilities instead of the typical made-up challenges in a CTF. On the other hand, I’m a little disappointed that it seems pretty similar (maybe even the same) year-to-year, not providing much variety or new learning experiences if you’ve played before.


Hacker Summer Camp 2019: What I'm Bringing & Protecting Yourself

I’ve begun to think about what I’ll take to Hacker Summer Camp this year, and I thought I’d share some of it as part of my Hacker Summer Camp blog post series. I hope it will be useful to veterans, but particularly to first timers who might have no idea what to expect – as that’s how I felt my first time.

Since it’s gotten so close, I’ll also talk about what steps you should take to protect yourself.

Packing

General Packing

I won’t state the obvious in terms of packing most of your basic needs, including clothing and toiletries, but I will remind you that Las Vegas will be super hot. Bring clothes for hot days, and pack deodorant! Keep in mind that some of the clubs have a dress code, so if that’s your thing, you’ll want to bring clubbing clothes. (The dress code tends not to be too high, but often pants and a collared shirt.)

I will suggest bringing a reusable water bottle to help cope with the heat. Just before last summer camp, I bought a Simple Modern vacuum insulated bottle, and I absolutely love it. I’ll bring it again this year to stay hydrated. Because I hate heat, I’ll also be bringing a cooling towel, which is surprisingly effective at cooling me off. Perhaps it’s a placebo effect, but I’ll take it.

Remember that large parts of DEF CON are cash only, so you’ll need to bring cash (obviously). At least $300 for a badge, plus more for swag, bars, etc. ATMs on the casino floors are probably safe to use, but will still charge you fairly hefty fees.

Tech Gear

There’s two schools of thought on bringing tech gear: minimalist and kitchen sink. I happen to be in the kitchen sink side of things. I’ll be bringing my laptop and about a whole bunch of accessories. In fact, I have a whole travel kit that I’ll detail in a future post, but a few highlights include:

On the other hand, some people want the disconnected experience and bring little to no tech. Sometimes this is because of concerns over “being hacked”, but sometimes this is just to focus on the face-to-face time.

Shipping

There are some consumables where I just find it easier to ship to my hotel. Note that the hotel will charge you for receiving a package, but I still find it cheaper/easier to have these things delivered directly.

Getting a case of water delivered is much cheaper than buying from the hotel gift shop. Another option is to hit up a CVS or Walgreens on the strip for some bottled water.

I’m a bit of a Red Bull addict, so I often get a few packs delivered to have on hand. The Red Bull Red Edition is a nice twist on the classic that’s worth a try if you haven’t had the pleasure.

Safety & Security

DEF CON has a reputation for being the “most dangerous network in the world”, but I think this is completely overblown. It defies logic that an attacker with a 0-day on a modern operating system would use it to perform untargeted attacks at DEF CON. If their traffic is captured, they’ve burned their 0-day, and probably to grab some random attendees data – it’s just not worth it to them.

That being said, you shouldn’t make yourself a target either. There are some simple steps you can (and should) take to protect yourself:

  • Use a VPN service for your traffic. I like Private Internet Access for a commercial provider.
  • Don’t connect to open WiFi networks.
  • Don’t accept certificate errors.
  • Don’t plug your phone into strange USB plugs.
  • Use HTTPS

These are all simple steps to protect yourself, both at DEF CON, and in general. You really ought to observe them all the time – the internet is a dangerous place in general!

To be honest, I worry more about physical security in Las Vegas – don’t carry too much cash, keep your wits about you, and watch your belongings. Use the in-room safe (they’re not perfect, but they’re better than nothing) to protect your goods.

Be aware of hotel policies on entering rooms – ever since the Las Vegas shooting, they’ve become much more invasive with forcing their way into hotel rooms. I recommend keeping anything valuable locked up and out of sight, and be aware of potential impostors using the pretext of being a hotel employee.

Good luck, and have fun in just over a week!


Hacker Summer Camp 2019 Preview

Every year, I try to distill some of the changes, events, and information surrounding the big week of computer security conferences in Las Vegas. This week, including Black Hat, BSides Las Vegas, and DEF CON, is what some refer to as “Hacker Summer Camp” and is likely the largest gathering of computer security professionals and hackers each year.


So You Want to Red Team?

So there’s a lot of confusion out there about Penetration Testing and Red Teaming. I wanted to put together a list of resources for those familiar with infosec or penetration testing who want to get into red teaming or at least get a better understanding of the methodologies and techniques used by red teamers.

First, it’s important to note that Red Teaming is predominantly comprised of two things: alternative analysis and adversary simulation. Red teams do not attempt to find “all the vulnerabilities” and do not usually try to have a wide breadth of coverage. Instead, red teams seek to simulate an adversary with a particular objective, predominantly to act as a “sparring partner” for blue teams. Keep in mind, red teams are the only adversary that will debrief with the blue team so that blue team can figure out what they missed or could have done differently.

For more about the specific definition of Red Teaming, check out the presentation Red Teaming Probably Isn’t For You by fellow red teamer Toby Kohlenberg.