Bug 1912881 (CVE-2020-28052) - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
Summary: CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword u...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28052
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1912883 1912882
Blocks: 1912884
TreeView+ depends on / blocked
 
Reported: 2021-01-05 13:58 UTC by Marian Rehak
Modified: 2021-11-23 10:34 UTC (History)
86 users (show)

See Also:
Fixed In Version: bouncycastle 1.67
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in bouncycastle. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-16 19:19:32 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0872 0 None None None 2021-03-16 13:43:46 UTC
Red Hat Product Errata RHSA-2021:0873 0 None None None 2021-03-16 13:35:57 UTC
Red Hat Product Errata RHSA-2021:0874 0 None None None 2021-03-16 13:39:53 UTC
Red Hat Product Errata RHSA-2021:0885 0 None None None 2021-03-16 13:19:37 UTC
Red Hat Product Errata RHSA-2021:0974 0 None None None 2021-03-23 14:18:29 UTC
Red Hat Product Errata RHSA-2021:2755 0 None None None 2021-07-15 15:25:51 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:47 UTC
Red Hat Product Errata RHSA-2021:3205 0 None None None 2021-08-18 09:13:36 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:43 UTC

Description Marian Rehak 2021-01-05 13:58:54 UTC
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Comment 1 Marian Rehak 2021-01-05 13:59:39 UTC
Created bouncycastle tracking bugs for this issue:

Affects: epel-all [bug 1912883]
Affects: fedora-32 [bug 1912882]

Comment 4 Jason Shepherd 2021-01-06 01:00:24 UTC
Red Hat Enterprise Virtualisation Manager 4 uses bouncycastle version 1.58 which is not affected.

Comment 16 Jonathan Christison 2021-01-12 13:03:54 UTC
Marking Red Hat Fuse 7 and Red Hat Integration Camel K as having a moderate impact, although both products make available bouncycastle jars in the affected version range (1.65 and 1.66) there is no use of the vulnerable OpenBSDBCrypt bcrypt implementation, furthermore application defaults and component design ie. in Camel-Crypto mean use of OpenBSDBCrypt doesn't fit the usecase of these components in an end application.

Comment 18 Jonathan Christison 2021-01-12 19:50:24 UTC
A word on scoring, our scoring is currently 8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and NVD of 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 


Exploitability Metrics: 

Attack Vector Network (AV:N) -

Agree here, Bouncy Castle use is as an application library and can be used as a JCA/JCE provider, although Bouncy Castle itself is not bound to the network stack, applications using its functionality are likely to be.
  
Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):

We disagree with the original scoring of a low attack complexity, we believe the impact is significantly different depending on the specific applications handling, that is to say a successful attack depends on conditions beyond the attacker's control, we believe those conditions are -

*) The vulnerability originates in the OpenBSDBCrypt hash comparison method (doCheckPassword), where a bitwise comparison was mistakenly carried out on the integer position of a character in the hashed strings as opposed to checking each character at a specific index. This means although an incorrect hash can incorrectly return true even if the hash values themselves are quite dissimilar, not every hash derived from a password will return true. In other words brute-forcing will likely be required.   

*) The configuration of the hashing function will vary depending on end application implementation, most importantly the cost factor to the OpenBSDBcrypt hash, the higher the value the longer it takes for the hash generation, typically good practice means this generation time should be as long as reasonably tolerable; as brute-forcing is likely required increasing the hash generation time will make this attack less practical.   

Privileges Required None (PR:N) -
Agree here, the attacker does not need to be a privileged user eg. no login required to exploit the base flaw.

User Interaction None (UI:N)
Agree here, a user does not need to be coerced into performing any action for this flaw

Scope Unchanged (S:U)
Agree here, the attacker will not be able to escape the scope of the authority for which the hash comparison is being carried out as a password from which the password itself is derived is not disclosed.
 
Impact Metrics:

Confidentiality High (C:H) 
Agree here, we can assume any system involving bcrypt which is common for authentication and block encryption where slow hashing is a requirement will be protecting information which if disclosed would present a direct, serious impact, for example an administrative account.

Integrity High (I:H) 
Agree here, for the same reasons mentioned in Confidentiality its likely the information or components protected by bcrypt would present a direct, serious consequence.

Availability High (A:H)
Agree here, Its likely components protected by OpenBSDBCrypt for example administrative portals if breached would allow an attacker to shutdown or block services

Comment 19 Jonathan Christison 2021-01-14 21:07:41 UTC
Mitigation:

Users unable to upgrade to version 1.67 or greater can copy the `OpenBSDBCrypt.doCheckPassword()` method implementation (https://github.com/bcgit/bc-java/blob/r1rv67/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java#L259-L343) into their own utility class and supplement it with the required methods and variables as required

Comment 22 errata-xmlrpc 2021-03-16 13:19:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885

Comment 23 errata-xmlrpc 2021-03-16 13:35:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873

Comment 24 errata-xmlrpc 2021-03-16 13:39:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874

Comment 25 errata-xmlrpc 2021-03-16 13:43:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872

Comment 26 Product Security DevOps Team 2021-03-16 19:19:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28052

Comment 27 errata-xmlrpc 2021-03-23 14:18:23 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.6

Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974

Comment 30 errata-xmlrpc 2021-04-27 08:48:03 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.1

Via RHSA-2021:1401 https://access.redhat.com/errata/RHSA-2021:1401

Comment 31 errata-xmlrpc 2021-06-02 14:23:38 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP via EAP 7.3.x base

Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210

Comment 33 errata-xmlrpc 2021-07-15 15:25:48 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP 2.0.0 via EAP 7.3.x base

Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755

Comment 34 errata-xmlrpc 2021-08-11 18:23:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 35 errata-xmlrpc 2021-08-18 09:13:32 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205

Comment 36 errata-xmlrpc 2021-11-23 10:34:39 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767


Note You need to log in before you can comment on or make changes to this bug.