Trilium Notes Timing Attack Vulnerability in Sync Authentication Endpoint Allowing Authentication Bypass

A critical timing attack vulnerability has been identified in Trilium Notes versions prior to 0.101.0. This vulnerability allows unauthenticated remote attackers to exploit the sync authentication endpoint by recovering HMAC authentication hashes byte-by-byte through statistical timing analysis. The flaw enables complete authentication bypass without knowledge of the password, granting full read and write access to the victim's knowledge base.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to a user's knowledge base with full read and write privileges.

Reproduction

The vulnerability can be reproduced by sending a series of requests to the Trilium sync authentication endpoint. Each request should include a guessed HMAC hash. By measuring the response time for each guess, an attacker can determine which bytes of the hash are correct. This process involves sending approximately 64 requests per character position, using high-precision timers to analyze the response times. The attack requires the use of over 100,000 requests and more than 1,000 different IP addresses to evade rate limiting.

Remediation

Users can update to Trilium Notes version 0.101.0 or later, where this vulnerability has been fixed.