2016-07-18 Time Variant SHA1 Check in User Manager

Owned by Nathaniel Halbrooks
Last updated: Jan 31, 2024
1 min read

SEC-2016-003

Overview:

Use of '==' instead of '===' to compare sha1 hashes can result in leaking sha1 data/bytes. Requires a set of passwords that hashed very specific SHA1s.

Discovered By:

Douglas Goddard <douglas(dot)gastonguay(at)gmail(dot)com>

Impact:

CVSS 3 Details:

  • Base Score: 3.1

  • Temporal Score: 2.5

  • Environmental Score: 2.4

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U/CR:L/IR:X/AR:X/MAV:N/MAC:H/MPR:N/MUI:N/MS:X/MC:L/MI:N/MA:N

Vulnerable software and versions:

The versions listed below (or less than)

  • < userman v12.0.27

Note that FreePBX 2.11 and earlier are not affected, additionally Userman in FreePBX 13 is not affected in any version. The following versions of fixes:

  • >= userman v12.0.28

Related Information

-N/A

Further Details:

Difficult to recover a full hash because that would require a set of passwords that hashed very specific SHA1s. However, this could be used to leak bytes of a user's password.

Since == takes a longer amount of time when more of the compared strings content matches, it is possible to determine bytes of the string.

Sangoma strongly encourages all users of FreePBX 12 to upgrade to the latest User Manager version. This can be done from the Module Admin GUI or the CLI. For more information on using Module Admin, please see Module Admin User Guide.

Sangoma takes security seriously and request that any future FreePBX security issue be reported at security@freepbx.org.

 

Return to Documentation Home I Return to Sangoma Support