OpenFUN Richie HMAC Timing Attack Vulnerability in Webhook Authentication Bypass
Vulnerability
A timing attack vulnerability has been identified in OpenFUN Richie Learning Management System (LMS) versions prior to the fix in commit a1b5bbd. The issue arises in the 'sync_course_runs_from_request' function within 'src/richie/apps/courses/api.py', where the application improperly uses the standard equality operator for HMAC signature verification. This flaw enables remote attackers to forge valid signatures and bypass authentication by exploiting response time discrepancies.
Impact
Exploitation of this vulnerability allows an unauthenticated remote attacker to bypass authentication on the affected webhook, potentially leading to unauthorized injection of course run data, manipulation of public course pages, and corruption of the search index and cache.
Reproduction
To reproduce this vulnerability, send a series of crafted requests to the 'sync_course_runs_from_request' webhook endpoint. Measure the response times to identify discrepancies that indicate a signature mismatch. Use this information to iteratively deduce the correct HMAC signature, which can then be used to forge a valid authorization token and bypass the webhook's authentication.
Remediation
Users can update to the version of OpenFUN Richie that includes the fix in commit a1b5bbd to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.