Credentials cached with Subversion may be sent to the wrong server. Summary: ======== Subversion's credentials cache uses a MD5 hash in order to index and then lookup cached credentials. MD5 is subject to hash collisions and as such it may be possible to engineer a server to get Subversion to send it credentials that have been cached for a different server. This can lead to the leaking of these credentials to a 3rd party. Known vulnerable: ================= Subversion clients 1.0.0 through 1.7.17 (inclusive) Subversion clients 1.8.0 through 1.8.9 (inclusive) Known fixed: ============ Subversion 1.7.18 Subversion 1.8.10 Details: ======== Subversion stores cached credentials by an MD5 hash based on the URL and the authentication realm of the server the credentials are cached for. MD5 has been shown to be subject to chosen plaintext hash collisions. This means it may be possible to generate an authentication realm which results in the same MD5 hash for a different URL. Subversion supports storage of the credentials in a variety of ways (e.g. Windows Crypto API, KWallet, Gnome-Keyring, and the OS X Keychain) as well as its own built in storage. This vulnerability applies to all of them since the same hash key is used to store the credentials in all of them. Severity: ========= CVSSv2 Base Score: 4.0 CVSSv2 Base Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N We consider this to be a very low risk vulnerability. Exploiting this vulnerability in practice will be very difficult. Calculating such a collision with the current public known techniques for producing an MD5 collision (e.g chosen prefix attacks) requires control of the authentication realm on the real server the credentials are for. Typically if you have access to modify the authentication realm you already have more access than the credentials can gain you or can log credentials in other less visible ways. However, it is possible that other techniques are unknown to the public or will become known in the future that allow MD5 pre-image attacks such that the attacker does not need to change the authentication realm on the real server. Even once an attacker has calculated an authentication realm for the server they wish to steal credentials for they have to get the Subversion client to connect to their server with this configuration in place. This would likely require some social engineering to get a user to do this. However, there would be nothing to indicate to the user that such a situation was occurring. Recommendations: ================ We recommend all users to upgrade to Subversion 1.8.10. Users of Subversion 1.7.x or 1.8.x who are unable to upgrade may apply the included patch. New Subversion packages can be found at: http://subversion.apache.org/packages.html Users can avoid this problem by disabling authentication credential storage via the 'store-auth-creds' setting in the '[global]' section of the Subversion servers configuration file. See the SVN Book for details on where to find these configuration files: http://svnbook.red-bean.com/en/1.7/svn.advanced.confarea.html References: =========== CVE-2014-3528 (Subversion) Reported by: ============ Bert Huijben, CollabNet Patches: ======== Patch against 1.7.17: [[[ Index: subversion/libsvn_subr/config_auth.c =================================================================== --- subversion/libsvn_subr/config_auth.c (revision 1615184) +++ subversion/libsvn_subr/config_auth.c (working copy) @@ -90,6 +90,7 @@ svn_config_read_auth_data(apr_hash_t **hash, if (kind == svn_node_file) { svn_stream_t *stream; + svn_string_t *stored_realm; SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), _("Unable to open auth file for reading")); @@ -100,6 +101,12 @@ svn_config_read_auth_data(apr_hash_t **hash, apr_psprintf(pool, _("Error parsing '%s'"), svn_dirent_local_style(auth_path, pool))); + stored_realm = apr_hash_get(*hash, SVN_CONFIG_REALMSTRING_KEY, + APR_HASH_KEY_STRING); + + if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) + *hash = NULL; /* Hash collision, or somebody tampering with storage */ + SVN_ERR(svn_stream_close(stream)); } ]]] Patch against 1.8.9: [[[ Index: subversion/libsvn_subr/config_auth.c =================================================================== --- subversion/libsvn_subr/config_auth.c (revision 1605943) +++ subversion/libsvn_subr/config_auth.c (revision 1605944) @@ -94,6 +94,7 @@ svn_config_read_auth_data(apr_hash_t **hash, if (kind == svn_node_file) { svn_stream_t *stream; + svn_string_t *stored_realm; SVN_ERR_W(svn_stream_open_readonly(&stream, auth_path, pool, pool), _("Unable to open auth file for reading")); @@ -104,6 +105,11 @@ svn_config_read_auth_data(apr_hash_t **hash, apr_psprintf(pool, _("Error parsing '%s'"), svn_dirent_local_style(auth_path, pool))); + stored_realm = svn_hash_gets(*hash, SVN_CONFIG_REALMSTRING_KEY); + + if (!stored_realm || strcmp(stored_realm->data, realmstring) != 0) + *hash = NULL; /* Hash collision, or somebody tampering with storage */ + SVN_ERR(svn_stream_close(stream)); } ]]]