TFA module has a timing attack vulnerability.
In version 7.x-2.x, the TfaBasePlugin class which is the parent class for most of validation plugins uses the operator '===' to validate TFA code by the validate() method.
if ((string) $code === (string) $this->code) {
$this->isValid = TRUE;
return TRUE;
}
else {
return FALSE;
}
See the source code from https://git.drupalcode.org/project/tfa/-/blob/7.x-2.x/tfa.inc#L475
An attacker can compromise the TFA code by analyzing the time taken to execute validation.
the php hash_equals function should be used to mitigate the timing attacks.
Therefore, the code above should be replaced with:
if (hash_equals((string) $this->code, (string) $code)) {
$this->isValid = TRUE;
return TRUE;
}
else {
return FALSE;
}
In version 8.x-1.x, there is the same problem with the validation method.
See the source code from
https://git.drupalcode.org/project/tfa/-/blob/8.x-1.x/src/Plugin/TfaBase...
The code for 8.x-1.x should be replaced with:
if (hash_equals((string) $this->code, (string) $code)) {
$this->isValid = TRUE;
return TRUE;
}
else {
return FALSE;
}
Use hash_equals instead of ===
Implement and backport to D7.
Comments
Comment #4
jcnventuraComment #5
gregglesThanks for the work of making this issue and porting the patch to 8.x.
I'm going to adjust the issue credit to reflect the work on the private security issue.
Comment #7
gregglesComment #8
jcnventuraI thought I had already credited you and Mingsong when I did the commit. Did I miss something?
Comment #9
gregglesWe were not in the "Credit & committing" section which I think drives issue credits (separate from the name on the commit message).