CRITICAL🇵🇱 Wersja polska

CVE-2024-23771

CVSS 9.8v3.1pub. 2024-01-22upd. 2025-05-30

darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel.

🤖 AI Analysis
How it works

The strcmp() function compares strings and terminates immediately after encountering the first difference between compared characters. The execution time of this function is therefore dependent on the number of matching characters at the beginning of the compared strings. An attacker can measure the server response time for successive authentication attempts, gradually guessing the correct password character by character (timing side channel). Such an attack does not require brute-forcing the entire password space, but only sequential discovery of each character individually.

Impact

An attacker can bypass the HTTP server authentication mechanism and gain unauthorized access to password-protected resources, leading to complete compromise of confidentiality, integrity, and availability of the served data.

Mitigation & patch

Update darkhttpd to version 1.15 or newer. The fix is available in commit f477619d49f3c4de9ad59bd194265a48ddc03f04 in the project repository on GitHub, which replaces the strcmp() function with a constant-time string comparison function.

Who is affected

darkhttpd (Unix4Lyfe) in versions before 1.15

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Unix4lyfe Darkhttpd

    APP
    Unix4Lyfe
    < 1.15
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2020-25691HIGH7.5ten sam produkt

A flaw was found in darkhttpd. Invalid error handling allows remote attackers to cause denial-of-service by ac...

CVE-2024-23770MEDIUM5.5ten sam produkt

darkhttpd through 1.15 allows local users to discover credentials (for --auth) by listing processes and their ...