API cryptography software made a hash of authentication checks

Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class because of recently discovered cryptographic mistakes in the widely used encryption library.

The authentication bypass vulnerability (CVE-2020-28052) was discovered by security researchers at Synopsys, who went public with their findings in a technical blog post last week, several weeks after a fix was released that addresses the vulnerability.

Flawed verification routine

The OpenBSDBcrypt class implements the Bcrypt algorithm for password hashing. Coding errors introduced in the OpenBSDBcrypt.doCheckPassword method resulted in a flawed verification routine.

The practical upshot of this error is that an attacker doesn’t need a byte-for-byte match with the stored hash value in order to get past authentication checks, but without having a valid password through a brute force attack, as Synopsys explains:

An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts.

Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59).

Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.

Banking security expert Martín Obiols offered a neat summary of the vulnerability on Twitter.

“Earlier this year someone decided to add constant time comparison in BCrypt.doCheckPassword from Bouncy Castle,” Obiols said.

“They used indexOf instead of charAt in the check, they broke it and you could do random attempts with a 20% chance of success in [1,000] tries.”

The Daily Swig invited Synopsis to comment on its research. We’ll update this story as and when any comment comes through.

Bounced into an update

The issue is limited to Bouncy Castle 1.65 and 1.66 (builds released this year) and fixed with Bouncy Castle 1.67, released in November.

Versions prior to Bouncy Castle 1.65 are not subject to the vulnerability (which earns a CVSSv3 score of 8.1).

Bcrypt hashing is used to check user-supplied passwords by web applications and APIs. Circumventing authentication techniques built using the technology is bad news because it creates a means for attackers to perform the same operations as a legitimate user, potentially an administrator.

BouncyCastle is a collection of cryptographic APIs, with version written for Java and C#, and maintained by Australia-based developers Legion of the Bouncy Castle.


RELATED Bcrypt hashing library bug leaves Node.js applications open to brute-force attacks