From owner-freebsd-bugbusters@FreeBSD.ORG Thu Feb 13 06:40:14 2014 Return-Path: Delivered-To: bugbusters@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62E8BFE1 for ; Thu, 13 Feb 2014 06:40:14 +0000 (UTC) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx1.freebsd.org (Postfix) with ESMTP id 07FF21FC8 for ; Thu, 13 Feb 2014 06:40:14 +0000 (UTC) Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s1D61MlX006544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 13 Feb 2014 01:01:22 -0500 Received: from rt4.app.eng.rdu2.redhat.com (rt4.app.eng.rdu2.redhat.com [10.10.161.56]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s1D61Lwu000565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 Feb 2014 01:01:21 -0500 Received: from rt4.app.eng.rdu2.redhat.com (localhost [127.0.0.1]) by rt4.app.eng.rdu2.redhat.com (8.14.4/8.14.4) with ESMTP id s1D61LmB025646; Thu, 13 Feb 2014 01:01:21 -0500 Received: (from apache@localhost) by rt4.app.eng.rdu2.redhat.com (8.14.4/8.14.4/Submit) id s1D61K0Z025644; Thu, 13 Feb 2014 01:01:20 -0500 From: Red Hat Security Response Team Sender: secalert@redhat.com X-PGP-Public-Key: https://www.redhat.com/security/650d5882.txt Subject: [engineering.redhat.com #278019] Insufficient salting in the net-ldap Ruby gem In-Reply-To: References: Message-ID: Precedence: bulk X-RT-Loop-Prevention: engineering.redhat.com RT-Ticket: engineering.redhat.com #278019 Managed-BY: RT 4.0.13 (http://www.bestpractical.com/rt/) RT-Originator: kseifried@redhat.com To: pierre.carrier@airbnb.com MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Date: Thu, 13 Feb 2014 01:01:20 -0500 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 Cc: bugbusters@freebsd.org, product.security@airbnb.com, pkgsrc-security@netbsd.org, rory@berecruited.com X-BeenThere: freebsd-bugbusters@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: secalert@redhat.com List-Id: "Coordination of the Problem Report handling effort." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Feb 2014 06:40:14 -0000 On Wed Feb 12 15:03:04 2014, pierre.carrier@airbnb.com wrote: > Hello, > > SSHA passwords generated by the net-ldap Ruby gem use a salt between > "0" and "999", only providing 10 bits of entropy. > > This is an attack vector, making attacks based on rainbow tables > significantly easier than with a strong salt. Thanks for sending this. >From the CVE perspective this is a classic "intended security protection that fails to work as intended", the point of salting is to increase workload enough to make pre-computation and storage of the results difficult to impossible, a factor of 1000 is simply not enough in the modern word of GPU's and 4TB hd's and rainbow tables with chains. Please use CVE-2014-0083 for this issue. Also can an issue be opened upstream if it hasn't already been done? Thanks. > https://github.com/ruby-ldap/ruby-net- > ldap/blob/master/lib/net/ldap/password.rb#L29 > > This E-mail is sent to the current upstream maintainer and all vendors > that distribute a version of that gem. > Your version might not be affected; if not, sorry for the noise. > > Best, > -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993