DOM Customer Portal / Security / Authentication Timing Attack Vulnerability

Authentication Timing Attack Vulnerability (DOM-23-001)


Summary

A side-channel authentication vulnerability has been discovered by our team in the REST API feature in Digi On-Prem Manager before v23.6.

It was found that an attacker could derive API secrets by performing a timing attack on the authentication mechanism.

The REST API is not enabled by default.

Remediation

Customers should update to v23.6 of Digi On-Prem Manager, and rotate their API keys.

In addition to fixing the timing attack vulnerability, the length of API secrets has been increased from 22 to 64 characters. Vulnerable keys will no longer be accepted by the API.

Mitigations

For users unable to upgrade:

  • Disable the API under under “System Settings” -> “Features” -> “API”

  • or; Restrict API access to trusted networks under “System Settings” -> “Access Control” -> “API”

Indicators of Compromise:

An attacker will generate a large number of HTTP 401 Unauthorized responses from the /api/ endpoint. These can be found in the nginx access logs, and searched for using i.e. ripgrep:

rg -ze '"[A-Z]+ /api/.+?" 401' /var/log/nginx/access.log*

Affected Versions

  • Versions before v23.6 of Digi On-Prem Manager

Advisory Details

Severity

8.9 High

Discovered

Jun 20, 2023

Published

Jun 28, 2023

CVSS Score

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L