CVE-2021-34337

Vulnerability

Mailman Core versions prior to 3.3.5 contain a timing vulnerability in the REST API password verification. The password check used basic string equality (==), which short-circuits on the first incorrect character, allowing an attacker to measure response times and deduce the password character by character [1][4]. The fix, introduced in version 3.3.5, replaces the comparison with hmac.compare_digest, which executes in constant time regardless of input [4].

Exploitation

An attacker must have network access to the REST API endpoint. By default, the REST API is bound to localhost, limiting exploitation to local users or processes on the same host [1]. However, if administrators configure the API to listen on other interfaces, remote attackers could exploit the timing side-channel. The attack requires sending many authenticated requests and measuring response times to infer the password [1][4].

Impact

Successful exploitation allows an attacker to recover the REST API password and then make arbitrary API calls. This could lead to unauthorized management of mailing lists, including creation, modification, or deletion of lists and members, potentially compromising the integrity and confidentiality of the mailing list system [1].

Mitigation

Users should upgrade to Mailman Core 3.3.5 or later, which contains the fix [2][4]. Additionally, administrators should ensure the REST API remains bound to localhost unless absolutely necessary, reducing the attack surface [1]. The fix is included in the commit e4a39488 [4].