5 - VU#101500

Executive Summary

Summary
Title	Retrospect Backup Client uses weak password hashing

Informations
Name	VU#101500	First vendor Publication	2015-06-15
Vendor	VU-CERT	Last vendor Modification	2015-06-15
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#101500

Retrospect Backup Client uses weak password hashing

Original Release date: 15 Jun 2015 | Last revised: 15 Jun 2015

Overview

Retrospect Backup Client is a client to a network-based backup utility. This client stores passwords in a hashed format that is weak and susceptible to collision, allowing an attacker to generate a password hash collision and gain access to the target's backup files.

Description

CWE-916: Use of Password Hash With Insufficient Computational Effort - CVE-2015-2864

Retrospect Backup clients prior to 10.0.2 on Windows and Linux and 12.0.2 on Mac contain an error in the password hash generating algorithm. The password is not fully utilized when generating a hash, allowing the possibility of a weak hash with a higher probability of collision with other passwords. Attackers with network access to a machine running the Retrospect client may be able to generate brute-force passwords that are guaranteed to collide with the hashed password with a maximum of 128 tries. This attack was demonstrated by security researchers Josep Pi Rodriguez and Pedro Guillen Nunez.

This vulnerability only affects clients utilizing password authentication; clients using the public key authentication mechanism to login are unaffected. Retrospect recommends that users make use of the public key authentication mechanism. For more details on the vulnerability and instructions on enabling public key authentication, please see Retrospect's advisory.

Impact

An unauthenticated attacker on the network may be able to brute force a correct password by guessing a string that produces the same hash, granting access to backup data as the victim user.

Solution

Apply an update

For users that wish to continue using the password mechanism, Retrospect has released updates addressing this issue.

Windows users should update to version 10.0.2.119 or later.
Mac users should update to version 12.0.2.116 or later.
Linux users should update to version 10.0.2.104 or later.

Affected users may also consider the following workaround recommended by the vendor:

Switch to Public Key Authentication

The public key authentication method used by Retrospect is unaffected by this vulnerability. Retrospect recommends using public key authentication rather than a password and has provided a knowledge base article to guide users through the setup process.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Retrospect, Inc.	Affected	30 Apr 2015	15 Jun 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.9	AV:A/AC:M/Au:N/C:C/I:C/A:C
Temporal	6.2	E:POC/RL:OF/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.retrospect.com/support/kb/cve_2015_2864
http://www.retrospect.com/support/downloads
https://www.youtube.com/watch?v=MB8AL5u7JCA&list=PL3UAg9Zuj1yLmemIKw-domjg5UkbN-pLc&index=14

Credit

Thanks to Josep Pi Rodriguez and Pedro Guillen Nunez for working with the CERT/CC and the vendor, and thanks to Retrospect for quickly addressing the issue.

This document was written by Garret Wassermann.

Other Information

CVE IDs:CVE-2015-2864
Date Public:09 Jul 2014
Date First Published:15 Jun 2015
Date Last Updated:15 Jun 2015
Document Revision:28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/101500

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Application	Retrospect cpe:2.3:a:retrospect:retrospect:12.0.2:::::mac:: cpe:2.3:a:retrospect:retrospect:10.0.2:::::windows::	2
Application	Retrospect Retrospect Client cpe:2.3:a:retrospect:retrospect_client:12.0.2:::::mac:: cpe:2.3:a:retrospect:retrospect_client:10.0.2:::::linux:: cpe:2.3:a:retrospect:retrospect_client:10.0.2:::::windows::	3

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-09-24 00:26:31	Multiple Updates
2015-09-21 17:24:33	Multiple Updates
2015-06-16 00:24:58	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	5

	Related
5	CVE-2015-2864
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)