CVE-2024-45052 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-45052?

CVE-2024-45052 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated attackers to determine valid usernames in Fides privacy platform by measuring timing differences in authentication responses. Attackers can use this information to conduct password brute-forcing or credential stuffing attacks. All Fides deployments prior to version 2.44.0 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to determine valid usernames in Fides privacy platform by measuring timing differences in authentication responses. Attackers can use this information to conduct password brute-forcing or credential stuffing attacks. All Fides deployments prior to version 2.44.0 are affected.

💻 Affected Systems

Products:

Fides

Versions: All versions prior to 2.44.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Fides deployments with authentication enabled are vulnerable. The vulnerability is in the core authentication mechanism.

📦 What is this software?

Fides by Ethyca

View all CVEs affecting Fides →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers enumerate all valid usernames, then successfully brute-force passwords leading to full system compromise and privacy data exposure.

🟠

Likely Case

Attackers enumerate some usernames and conduct targeted password attacks, potentially gaining unauthorized access to user accounts.

🟢

If Mitigated

Attackers can enumerate usernames but cannot progress to password attacks due to strong authentication controls like MFA or rate limiting.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Timing attacks require specialized tools but are well-documented. Attackers need network access to the Fides webserver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.44.0

Vendor Advisory: https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv

Restart Required: Yes

Instructions:

1. Backup your Fides configuration and data. 2. Stop the Fides service. 3. Update Fides to version 2.44.0 or later using your package manager or deployment method. 4. Restart the Fides service. 5. Verify the update was successful.

🧯 If You Can't Patch

Implement network-level controls to restrict access to the Fides authentication endpoint to trusted IPs only.
Deploy a WAF or reverse proxy with rate limiting and timing attack mitigation capabilities in front of Fides.

🔍 How to Verify

Check if Vulnerable:

Check if Fides version is below 2.44.0 by accessing the admin interface or checking deployment manifests.

Check Version:

docker exec fides-webserver fides --version || check package manager version

Verify Fix Applied:

Confirm Fides version is 2.44.0 or higher and test authentication endpoints for consistent response times.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from single IPs
Unusual patterns of authentication requests with varying usernames

Network Indicators:

High volume of POST requests to /api/v1/login or similar authentication endpoints
Requests with systematically varying usernames

SIEM Query:

source="fides" AND (url_path="/api/v1/login" OR action="authentication") | stats count by src_ip, username

📊 Metadata

CVE ID: CVE-2024-45052

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-208

Published: September 4, 2024

Last Updated: September 6, 2024

🔗 References

https://github.com/ethyca/fides/commit/457b0e9df9f0d337133d6078bca6ed88bbc745f4 Patch
https://github.com/ethyca/fides/security/advisories/GHSA-2h46-8gf5-fmxv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45052, you might also want to check these: