草榴社区

Overview

草榴社区 CyRC researchers have discovered CVE-2020-28052, an authentication bypass vulnerability in the OpenBSDBcrypt class of the widely used Java cryptography library Bouncy Castle. This class implements the Bcrypt algorithm for password hashing. Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class. 

The vulnerability in the method?OpenBSDBcrypt.doCheckPassword was introduced?in commit . 

The doCheckPassword method implements a flawed verification routine. The code checks for?an index?of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that don’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value. 

boolean isEqual = sLength == newBcryptString.length();
for (int i = 0; i != sLength; i++)
{
    isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
}
return isEqual;

In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.

Exploitation

An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input. 

Affected software

• Bouncy Castle 1.65 (released 3/31/2020) and Bouncy Castle 1.66 (released 7/4/2020) are affected by .
• Bouncy Castle 1.67 (released 11/1/2020) fixes this vulnerability. Versions prior to 1.65 are?not affected?by CVE-2020-28052.

Note: As a result of this disclosure, 草榴社区 investigated its own products and found none used Bouncy Castle version 1.65 or 1.66 at the time this disclosure was published. 

Impact

Bcrypt hashing–based authentication may be used for authentication checks, for example, in web applications and APIs. 

CVSS 3.1 score

Bouncy Castle is a software library. The following worst-case implementation scenario was assumed in determining the CVSS score (following FIRST??for software libraries): 

Bcrypt hashing is used to check user-supplied passwords. Once the authentication bypass is triggered, attackers can perform the same operations as a legitimate user (gaining administrator-level access to a single-sign-on system, for example). 

Vector: ?

Score: 8.1 

Exploitability metrics: 
Attack Vector (AV): N = Network 
Attack Complexity (AC): H = High 
Privileges Required (PR): N = None 
User Interaction (UI): N = None 
Scope (S): C = Changed scope

Impact metrics 
Confidentiality Impact (C): H = High impact 
Integrity Impact (I): H = High impact 
Availability Impact (A): H = High impact

Remediation

Software vendors and users of the library are strongly encouraged to upgrade to Bouncy Castle Java release .

Discovery credit

A team of researchers from 草榴社区 Cybersecurity Research Center (CyRC) in Oulu, Finland, discovered the issue:

• Matti Varanka
• Tero Rontti

草榴社区 would like to thank the Bouncy Castle team for their responsiveness and for addressing this matter in a timely manner.