Bug 1065086 (CVE-2014-0083) - CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap Ruby gem use a weak salt
Summary: CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap Ruby...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-0083
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-13 21:42 UTC by Kurt Seifried
Modified: 2023-05-12 13:04 UTC (History)
28 users (show)

Fixed In Version: rubygem-net-ldap 0.11
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-13 21:46:59 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2014-02-13 21:42:46 UTC 
Pierre Carrier of airbnb reports:

The net-ldap gem generates SSHA passwords with a salt value between
"0" and "999", providing slightly less than 10 bits of entropy.

External reference:
https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb
Comment 1 Kurt Seifried 2014-02-13 21:44:33 UTC 
Acknowledgement:

Red Hat would like to thank Pierre Carrier of airbnb for reporting this issue.
Comment 2 Kurt Seifried 2014-02-13 21:45:50 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of rubygem-net-ldap as shipped with Red Hat Subscription Asset Manager, CloudForms Management Engine and Red Hat OpenStack 3 and 4 as they did not include support for the password salting feature.
Comment 3 Ján Rusnačko 2015-05-13 15:57:31 UTC 
Fixed in commit:

https://github.com/ruby-ldap/ruby-net-ldap/commit/b412ca05f6b430eaa1ce97ac95885b4cf187b04a
Note You need to log in before you can comment on or make changes to this bug.