EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse

Title: EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
Advisory ID: ZSL-2020-5598
Type: Local/Remote
Impact: Security Bypass
Risk: (3/5)
Release Date: 06.10.2020
Summary
GoAhead is the world's most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.
Description
A security vulnerability affecting GoAhead versions 2 to 5 has been identified when using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web server does not completely protect against replay attacks. This allows an unauthenticated remote attacker to bypass authentication via capture-replay if TLS is not used to protect the underlying communication channel. Digest authentication uses a "nonce" value to mitigate replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes which permitted short-period replays. This duration is too long for most implementations.
Vendor
Embedthis Software LLC - https://www.embedthis.com
Affected Version
<=5.1.1 and <=4.1.2
Tested On
GoAhead-http
GoAhead-Webs
Vendor Status
[16.07.2020] Vendor releases version 4.1.4 or 5.1.2 to address this issue.
PoC
goahead_noncereplay.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to David and Michael.
References
[1] https://github.com/embedthis/goahead-gpl/issues/2
[2] https://github.com/embedthis/goahead-gpl/issues/3
[3] https://github.com/embedthis/appweb-gpl/issues/4
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688
[5] https://nvd.nist.gov/vuln/detail/CVE-2020-15688
[6] https://www.tenable.com/cve/CVE-2020-15688
[7] https://cert.civis.net/en/index.php?action=alert¶m=CVE-2020-15688
[8] https://packetstormsecurity.com/files/159505
[9] https://exchange.xforce.ibmcloud.com/vulnerabilities/185771
[10] https://cxsecurity.com/issue/WLB-2020100044
Changelog
[06.10.2020] - Initial release
[18.10.2020] - Added reference [8], [9] and [10]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk