A popular open-source cryptography library, Bouncy Castle has reported severe authentication bypass vulnerability.
On exploitation the vulnerability (CVE-2020-28052) allows the attacker to gain access to user or administrator accounts due to a cryptographic weakness in the way passwords are checked.
A set of cryptography APIs used by both Java and C#/.NET developers a building security application is called as Bouncy Castle. As a library, developers of mission-critical applications rely heavily on it which is evident by the high number of downloads it has seen to date. As it is reported, .NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle.
Earlier this month a couple of researchers have disclosed an authentication bypass vulnerability in Bouncy Castle.
The vulnerability (CVE-2020-28052) exists in the OpenBSDBcrypt class of Bouncy Castle which implements the Bcrypt password hashing algorithm. The function responsible for performing a byte-by-byte password hash match has an erroneous logic in place, this function is the Bcrypt.doCheckPassword() function.
Rather than checking that characters at positions from 0 to 59 match, the code checks for an index of characters from 0 to 59 inclusive.
It means, that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that doesn’t contain them. An attacker doesn’t need a byte-for-byte match with the stored hash value if they pass this check.
This means, brute-forcing a set of strings that will yield a hash which, when compared by the doCheckPassword() function returns true (i.e. match successful).
an attacker could brute-force the password for any user account, including the administrator’s, should an application’s hash-based password checks be using Bouncy Castle with the successful exploitation of this flaw.
While brute-forcing takes a long time to crack passwords, the implementation of this flaw “short circuits” the verification routine, letting this assumption slip.
As a result of exploiting this vulnerability, 20% of tested passwords could be brute-forced on the first thousand attempts according to researchers. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further investigations revealed that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.
According to the researchers, Bcrypt hashing-based authentication is used for authentication checks in web applications and APIs.
Due to this, the vulnerability has been assigned a High severity CVSS 3.1 rating.
According to the researchers, both Bouncy Castle 1.65 and 1.66 are impacted by this flaw but not versions prior to 1.65. A fix has been applied by Bouncy Castle for this vulnerability in versions 1.67 and above and developers are encouraged to apply the upgrade.
To read more, please check eScan Blog
