CVE-2019-16764 in pow_assent
Summary
by MITRE
The use of `String.to_atom/1` in PowAssent is susceptible to denial of service attacks. In `PowAssent.Phoenix.AuthorizationController` a value is fetched from the user provided params, and `String.to_atom/1` is used to convert the binary value to an atom so it can be used to fetch the provider configuration value. This is unsafe as it is user provided data, and can be used to fill up the whole atom table of ~1M which will cause the app to crash.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/27/2024
The vulnerability described in CVE-2019-16764 represents a critical denial of service weakness within the PowAssent library, a popular authentication solution for phoenix applications. This flaw specifically targets the unsafe handling of user-provided data through the String.to_atom/1 function, which operates as a direct pathway to atom table exhaustion. The vulnerability exists within the PowAssent.Phoenix.AuthorizationController module where the application processes authentication parameters submitted by users without proper sanitization or validation. When attackers supply malicious input to the authentication flow, the system blindly converts this data to atoms, creating a scenario where the atom table can be rapidly consumed and eventually exhausted.
The technical implementation of this vulnerability stems from Elixir's atom table characteristics and the inherent risks associated with dynamic atom creation from untrusted sources. In Elixir, atoms are stored in a global table and are never garbage collected, meaning that each unique string converted to an atom creates a permanent entry in memory. When attackers exploit this weakness by submitting large volumes of unique strings to be converted into atoms, they systematically fill the atom table which typically contains around 1 million entries. Once the table reaches capacity, the application crashes due to the inability to create new atoms, resulting in a complete denial of service condition that affects all authentication operations.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system instability and resource exhaustion across the entire application stack. Attackers can execute this attack with minimal resources while causing significant damage, making it particularly dangerous in production environments where authentication systems are constantly accessed. The vulnerability affects applications using PowAssent for authentication, particularly those that rely on dynamic provider configurations where user input directly influences the atom creation process. This creates a persistent threat vector that can be exploited repeatedly, potentially leading to extended downtime and service unavailability.
Security mitigations for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary fix involves replacing String.to_atom/1 with String.to_existing_atom/1 or implementing proper input validation and sanitization before any atom conversion occurs. Organizations should also implement rate limiting and input length restrictions on authentication parameters to prevent rapid atom table exhaustion. Additionally, monitoring systems should be configured to detect unusual atom table usage patterns that could indicate exploitation attempts. From a defensive perspective, this vulnerability aligns with CWE-129 and CWE-400 categories, representing weaknesses in input validation and resource management that can lead to denial of service conditions. The attack pattern follows typical denial of service methodologies outlined in the MITRE ATT&CK framework under the 'Resource Exhaustion' technique, where attackers leverage application vulnerabilities to consume system resources and cause service disruption. Organizations should also consider implementing automated security scanning tools that can identify similar patterns in their codebases and ensure proper atom handling practices are followed throughout their applications.