‘All the passwords it created could be bruteforced,’ bemoan French researchers

The password generator feature in Kaspersky Password Manager was insecure in various ways because the security vendor failed to follow well understood cryptographic best practices, it has emerged.

The multiple flaws – tracked as CVE-2020-27020 – were discovered in June 2019 but were only patched in October 2020.

Users were told to update to Kaspersky Password Manager 9.0.2 Patch M and re-generate passwords. That in itself didn’t completely fix the issue because the mobile version of the software was still vulnerable until that too was addressed and an advisory published in April 2021.

Dictionary attack

After allowing several weeks for users to update their software, security researcher Jean-Baptiste Bédrune of French security outfit Ledger Donjon has gone public with a detailed technical write-up of the security flaws he discovered in the software.

Up until it was updated, the Pseudo Random Number Generation bundled with Kaspersky Password Manager used the current time as its single source of entropy.

As a result, every user who attempted to generate a password at the same time (in seconds) was offered the same suggested password. It also meant that any password generated using the technology was left vulnerable to a brute force attack based on a dictionary of possible passwords.

“All the passwords it created could be bruteforced in seconds,” according to Bédrune.

Dispute over danger posed

In response to queries from The Daily Swig, Kaspersky admitted the problem but played down the severity of the flaw, arguing that successful attacks that relied on these vulnerabilities would be difficult in practice.

Kaspersky has fixed a security issue in Kaspersky Password Manager, which potentially allowed an attacker to find out passwords generated by the tool. This issue was only possible in the unlikely event that the attacker knew the user’s account information and the exact time a password had been generated. It would also require the target to lower their password complexity settings.

The company has issued a fix to the product and has incorporated a mechanism that notifies users if a specific password generated by the tool could be vulnerable and needs changing.

We recommend that our users install the latest updates. To make the process of receiving updates easier, our home products support automatic updates.

Ledger Donjon's Bédrune disputed this assessment.

"What Kaspersky means is that if an attacker tries to guess the password of a victim using Kaspersky Password Manager on his first try, he will have to know the time at which the password has been created," Bédrune explained. "This is true, but this is not how attacks work".


Catch up on the latest encryption-related news


Bédrune told The Daily Swig: "Some services do not have anti-bruteforce countermeasures: you can try every password that KPM can generate, and attacks will work. This is the same with encrypted containers (TrueCrypt, Veracrypt and so on), protected archives, etc. where trying many passwords is not a problem. Another attack scenario is the one where an attacker manages to dump the database of a service containing hashed / encrypted passwords.

"While credentials generated by password managers usually cannot be broken, passwords created with KPM will be breakable in seconds," Bédrune concluded.

Independent security experts are highly critical of the design decisions made by Kaspersky that led to the flaws.

Pseudo Random

Cryptographically Secure Pseudo Random Number Generation is a well-known technology with well-established standard libraries and best practices. Kaspersky disregarded these in the development of its product, apparently to the detriment of its security.

Noted cryptographer Matthew Green commented: “I have to admire the combination of needless complexity combined with absolutely breath-taking incompetence.”

As well as time being used as a single source of entropy, Kaspersky used a non-cryptographically secure PRNG (Mersenne Twister) as the engine for password generation in its software.

Ledger Donjon show that Kaspersky’s approach compares unfavourably to the approach taken by KeePass, an open source project.

Crackers

Kaspersky Password Manager is designed to securely stores passwords and documents into an encrypted vault, protected by a password. The technology used an overly complex method to generate its passwords, an approach also faulted by researchers.

“This method aimed to create passwords hard to break for standard password crackers,” according to Ledger Donjon. “However, such method lowers the strength of the generated passwords against dedicated tools.”

Ledger Donjon developed a proof of concept that details the full generation method used by KPM. In developing this PoC the researchers discovered a software bug that, somewhat ironically, makes the generation of passwords by the technology more secure than would otherwise be the case.

“Writing this PoC allowed us to spot an out of bounds read during the computation of the frequency of appearance of password chars, which makes passwords a bit stronger that they should have been,” Ledger Donjon concludes.


DON’T FORGET TO READ Filesec.io project catalogs malicious file extensions being used by attackers