[opensuse-factory] Yast using DES password hashing on recent Tumbleweed snapshots
I was playing around with a laptop I installed Tumbleweed on last week when suddenly, I realized I don’t have to input my whole password - only the first few characters let me in. I quickly realized what it was and, with a sinking feeling, I checked /etc/shadow to find my user password (but not the root password, thankfully) hashed with DES_crypt… I had installed Tumbleweed using the net install ISO, on snapshot 20191107. I quickly spun up a fresh Tumbleweed VM using a current ISO (though I know the net installer updates automatically) and the password of the new user was hashed with DES (and hence, stripped to 8 chars) without any warning. Using passwd, I was able to correct this problem, and I found that there’s an option in YaST that controls what hashing function it uses. On my Leap servers, it’s set to SHA512, which is what it should be. On my Tumbleweed machines, it’s set to DES and I get a warning when I try to set a password longer than 8 chars using YaST. I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem. It apparently didn’t occur in older snapshots, but at least this month, anyone who installed Tumbleweed might be vulnerable. Check your password hashes! Regards Radosław Wyrzykowski
Am Donnerstag, 21. November 2019, 19:43:48 CET schrieb Radosław Wyrzykowski:
On my Leap servers, it’s set to SHA512, which is what it should be.
On my Tumbleweed machines, it’s set to DES and I get a warning when I try to set a password longer than 8 chars using YaST.
I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem.
+1 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
21.11.2019 21:43, Radosław Wyrzykowski пишет:
I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem.
https://bugzilla.opensuse.org/show_bug.cgi?id=1155735 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, Am Donnerstag, 21. November 2019, 19:43:48 CET schrieb Radosław Wyrzykowski:
I was playing around with a laptop I installed Tumbleweed on last week when suddenly, I realized I don’t have to input my whole password - only the first few characters let me in.
I quickly realized what it was and, with a sinking feeling, I checked /etc/shadow to find my user password (but not the root password, thankfully) hashed with DES_crypt…
I had installed Tumbleweed using the net install ISO, on snapshot 20191107.
I quickly spun up a fresh Tumbleweed VM using a current ISO (though I know the net installer updates automatically) and the password of the new user was hashed with DES (and hence, stripped to 8 chars) without any warning.
Using passwd, I was able to correct this problem, and I found that there’s an option in YaST that controls what hashing function it uses.
On my Leap servers, it’s set to SHA512, which is what it should be.
On my Tumbleweed machines, it’s set to DES and I get a warning when I try to set a password longer than 8 chars using YaST.
I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem.
Probably with /usr/etc/login.defs. Does it work after you cp /usr/etc/login.defs /etc/login.defs and create a new user/change the password with YaST? If so, it's https://bugzilla.opensuse.org/show_bug.cgi?id=1155735. If not, please create a new bug report with your observations.
It apparently didn’t occur in older snapshots, but at least this month, anyone who installed Tumbleweed might be vulnerable. Check your password hashes!
I agree - this is a CVE worthy bug IMO. DES is like plaintext, but at least only the first eight bytes are affected... Cheers, Fabian
Regards Radosław Wyrzykowski
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 2019-11-21 at 20:27 +0100, Fabian Vogt wrote:
I agree - this is a CVE worthy bug IMO. DES is like plaintext, but at least only the first eight bytes are affected... We have assigned CVE-2019-3700. https://bugzilla.opensuse.org/show_bug.cgi?id=CVE-2019-3700
Please reach out to security@suse.com if you come across vulnerabilities or exposures in openSUSE because we don't read every email on every mailing list. Best, Malte -- Malte Kraus <malte.kraus@suse.com> Security Engineer PGP Key: 8AFC 3C58 6880 2DDD 4792 C3C2 FDBD 2984 D4C3 C2F0 SUSE Software Solutions Germany GmbH / Maxfeldstr. 5 / 90409 Nürnberg / Germany / (HRB 36809, AG Nürnberg) / Geschäftsführer: Felix Imendörffer
On Thu, 21 Nov 2019, Fabian Vogt wrote:
Hi,
Am Donnerstag, 21. November 2019, 19:43:48 CET schrieb Radosław Wyrzykowski:
I was playing around with a laptop I installed Tumbleweed on last week when suddenly, I realized I don’t have to input my whole password - only the first few characters let me in.
I quickly realized what it was and, with a sinking feeling, I checked /etc/shadow to find my user password (but not the root password, thankfully) hashed with DES_crypt…
I had installed Tumbleweed using the net install ISO, on snapshot 20191107.
I quickly spun up a fresh Tumbleweed VM using a current ISO (though I know the net installer updates automatically) and the password of the new user was hashed with DES (and hence, stripped to 8 chars) without any warning.
Using passwd, I was able to correct this problem, and I found that there’s an option in YaST that controls what hashing function it uses.
On my Leap servers, it’s set to SHA512, which is what it should be.
On my Tumbleweed machines, it’s set to DES and I get a warning when I try to set a password longer than 8 chars using YaST.
I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem.
Probably with /usr/etc/login.defs. Does it work after you cp /usr/etc/login.defs /etc/login.defs and create a new user/change the password with YaST?
If so, it's https://bugzilla.opensuse.org/show_bug.cgi?id=1155735. If not, please create a new bug report with your observations.
Probably worth to fix the "fallback" algorithm when no one is configured in login.defs (as YaST figures)... at least DES shouldn't be included in the list of ciphers at all.
It apparently didn’t occur in older snapshots, but at least this month, anyone who installed Tumbleweed might be vulnerable. Check your password hashes!
I agree - this is a CVE worthy bug IMO. DES is like plaintext, but at least only the first eight bytes are affected...
Cheers, Fabian
Regards Radosław Wyrzykowski
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- Richard Biener <rguenther@suse.de> SUSE Software Solutions Germany GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany; GF: Felix Imendörffer; HRB 36809 (AG Nuernberg)
participants (6)
-
Andrei Borzenkov -
Fabian Vogt -
Hans-Peter Jansen -
Malte Kraus -
Radosław Wyrzykowski -
Richard Biener