Bug 219187

Summary: A truncated md5 password in /etc/shadow is still valid.
Product: Red Hat Enterprise Linux 4 Reporter: Chuck Berg <cberg>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Jay Turner <jturner>
Severity: low Docs Contact:
Priority: medium    
Version: 4.4CC: carl, nalin, security-response-team, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0300 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 17:24:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch none

Description Chuck Berg 2006-12-11 19:51:50 UTC 
Truncated md5 passwords in /etc/shadow are still be considered valid. Only the
beginning is compared, so a significantly truncated password can cause a huge
number of passwords to be valid.

To test:
Set root's shadow line to this:
root:$1$U57L.DJM$h:13473:0:99999:7:::

Now try to login as root using su or ssh. At least the following passwords work:
0
8
43
54
Comment 1 Tomas Mraz 2006-12-11 20:18:12 UTC 
Truncating the MD5 passwords in /etc/shadow could happen only by accident
(broken script run by admin or so).

So I don't think it is too serious problem.
Comment 3 Josh Bressers 2006-12-11 20:43:04 UTC 
This bug should not be called a security flaw.

While it appears it could have a security context, this really shouldn't.  No
known good tools will cause this condition to happen, which means that an admin
must run a third party tool over the shadow file, and apparently one that
produces untrusted data.  If an admin has a process producing untrustworthy
output that will be copied into the shadow file, there are other serious
problems, not just this.  md5 is known to be flawed in many ways, this is simply
one of them.
Comment 4 Tomas Mraz 2006-12-11 20:52:22 UTC 
Created attachment 143326 [details]
Proposed patch

This is a proposed patch to fix the problem.
Comment 5 Chuck Berg 2006-12-11 21:37:42 UTC 
Bug 207387 gives a good example why a person might need to develop their own
tools to edit /etc/passwd and /etc/shadow, or edit manually.

As an actual security issue, an attacker who already has root can modify a
user's password so that the original password still works, but also some
additional ones.  If a lot of effort has been taken to lock a system down, an
attacker might find this to be the most viable method of preserving remote
access. Since pwck doesn't complain, it could easily be missed even though the
admin thinks he is checking for this kind of thing.
Comment 6 Carl Speare 2006-12-11 21:42:46 UTC 
"This bug should not be called a security flaw."

su and sshd don't care too much about truncated passwords, and accept a 
password potentially very different from the intended password. That isn't a 
security problem?

So while the source of the problem is exceedingly rare and controlled, the 
resulting hole is undetectable (pwck ***never*** complains) and wide enough to 
make a system insecure. (Unless having multiple passwords for root isn't a 
security problem.)
Comment 7 Josh Bressers 2006-12-11 21:52:57 UTC 
If you're using md5 passwords, root has multiple passwords.  It's the nature of
md5 passwords.  They're known to be weak against collision attacks.  If you're
worried about anything being able to accept a password which is different than
the intended one, don't use MD5 password hashes.

I can be convinced that this should be considered a security flaw, but these
current arguments are stretches.  This bug simply highlights the inherent
weakness of MD5 and why it should not be used.
Comment 8 Chuck Berg 2006-12-13 14:55:11 UTC 
If MD5 has inherent weaknesses that mean it should be never used, will we be
offered a more secure password hash?

Not that the choice of hash is in any way relevant to this bug. (except that the
comments surrounding it indicate that it was introduced due to the requirement
to support multiple hashes).
Comment 9 Tomas Mraz 2006-12-13 15:07:04 UTC 
The inherent weaknesses of MD5 are not critical in case of password hashes. The
problem with this bug is that truncating the MD5 password enlarges the weakness
by many orders of magnitude.

However that doesn't change anything on the evaluation of this problem - it is
not a security flaw because it doesn't give any advantage to an attacker on a
system which is not broken by admin action first.

Also an attacker who already has a root can do just anything on your system so
this is not a situation we can guard against.
Comment 11 RHEL Program Management 2006-12-19 10:23:55 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Jay Turner 2006-12-19 12:40:51 UTC 
QE ack for RHEL4.5.
Comment 16 Red Hat Bugzilla 2007-05-01 17:24:59 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0300.html