Posted by on Thursday, December 17th, 2020
CVE-2020-28052 is an authentication bypass vulnerability discovered in Bouncy Castle’s OpenBSDBcrypt class. It allows attackers to bypass password checks.
Synopsys CyRC researchers have discovered CVE-2020-28052, an authentication bypass vulnerability in the OpenBSDBcrypt class of the widely used Java cryptography library Bouncy Castle. This class implements the Bcrypt algorithm for password hashing. Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class.
The vulnerability in the method OpenBSDBcrypt.doCheckPassword was introduced in commit 00dfe74aeb4f6300dd56b34b5e6986ce6658617e.
The doCheckPassword method implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that don’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value.
boolean isEqual = sLength == newBcryptString.length();
for (int i = 0; i != sLength; i++)
{
isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
}
return isEqual;
In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.
An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.
Note: As a result of this disclosure, Synopsys investigated its own products and found none used Bouncy Castle version 1.65 or 1.66 at the time this disclosure was published.
Bcrypt hashing–based authentication may be used for authentication checks, for example, in web applications and APIs.
Bouncy Castle is a software library. The following worst-case implementation scenario was assumed in determining the CVSS score (following FIRST CVSS scoring guidelines for software libraries):
Bcrypt hashing is used to check user-supplied passwords. Once the authentication bypass is triggered, attackers can perform the same operations as a legitimate user (gaining administrator-level access to a single-sign-on system, for example).
Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Score: 8.1
Exploitability metrics:
Attack Vector (AV): N = Network
Attack Complexity (AC): H = High
Privileges Required (PR): N = None
User Interaction (UI): N = None
Scope (S): C = Changed scope
Impact metrics
Confidentiality Impact (C): H = High impact
Integrity Impact (I): H = High impact
Availability Impact (A): H = High impact
Software vendors and users of the library are strongly encouraged to upgrade to Bouncy Castle Java release 1.67 or later.
A team of researchers from Synopsys Cybersecurity Research Center (CyRC) in Oulu, Finland, discovered the issue:
Synopsys would like to thank the Bouncy Castle team for their responsiveness and for addressing this matter in a timely manner.