7.8 - VU#840249

Executive Summary

Summary
Title	Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib)

Informations
Name	VU#840249	First vendor Publication	2010-08-02
Vendor	VU-CERT	Last vendor Modification	2010-09-02
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#840249

Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib)

Overview

The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password.

I. Description

An attacker with a known username and access to a service (telnet, rlogin or FTP) that uses the standard authentication API (loginDefaultEncrypt (), part of loginLib) can brute force the password in a relatively short period of time. Since the hashing algorithm is susceptible to collisions, the actual password does not have to be found, just a string that produces the same hash.

For instance, when the default 'target/password' login example is used, 'y{{{{{kS' hashes to the same string as 'password'. It is thus possible to login using both 'password' and 'y{{{{{kS' as the passwords for the user 'target'.

Additional information can be found in ICS-CERT advisory ICSA-10-214-01 and on the Metasploit Blog.

II. Impact

An attacker can brute force a correct password by guessing a string that produces the same hash and access the relevant service as the known user.

III. Solution

Vendors which use VxWorks in their products should not use the default hashing algorithm in standard authentication API (loginDefaultEncrypt()). A trusted authentication API should be used instead. It can be installed by means of the loginEncryptInstall() loginLib hook.

In addition, and so as to avoid registration of the default 'target'/'password' credentials at init time, the LOGIN_USER_NAME and LOGIN_USER_PASSWORD project parameters/#defines should be set to empty strings (so that no user is registered using the default encryption routine). Only after the new encryption routine is registered should new users be added to the system.

loginEncryptInstall allows the user to install a custom encryption routine. The custom routine <rtn> must be of the following form:

STATUS encryptRoutine
(
char *password, /* string to encrypt */
char *encryptedPassword /* resulting encryption */
)

The <encryptedPassword> string length should be no more than :
+ VxWorks 6.4 and below: 80 characters
+ VxWorks 6.5 and above: 128 characters

When a custom encryption routine is installed, a host version of this routine must be written to replace the tool vxencrypt in host/<hostOs>/bin.

Appendix #1 shows example code making use of loginEncryptInstall() to set a custom encryption routine. Depending on the VxWorks version used, either SHA-512 or SHA-256 are used.

DISCLAIMER: The following example code was provided by Wind River Systems. It is for demonstration purposes only and should not be used as is.

APPENDIX #1
/* Sample loginEncryptInstallCode() */

/* includes */

#include <vxWorks.h>
#include <errnoLib.h> /* for errnoGet API */
#include <fcntl.h> /* for open API */
#include <stdio.h> /* for sprintf API */
#include <string.h> /* for string handling */
#include <unistd.h> /* for close API */
#include <loginLib.h> /* library under test */
#include <sysSymTbl.h> /* for sySymTbl variable */

/* globals */

/*
* SHA-512 and SHA-256 digests corresponding to the 'vincent' string.
* VxWorks 6.4 and below use SHA-256 because of the 80 chars
* loginEncryptInstall() digest limit, while post 6.5 versions use SHA-512.
*/

#if ((_WRS_VXWORKS_MAJOR == 6) && (_WRS_VXWORKS_MINOR > 4))
char * cryptSha = "38256fbe4e80d9ffd355409f36238ae18e62c668208c259e60"
"ca323ab47cf55b8656e88e56593d531b250aae2c35376b387d"
"83ade5e3e8b6c042133b97030fa4";
char * shaIdent = "SHA-512";
#else
char * cryptSha = "65c3f75641b22925c737ca657b126cd68c39e423349d43031c"
"f9a3b9a18cee1f";
char * shaIdent = "SHA-256";
#endif

/* locals */

LOCAL STATUS fixed_sha (char* password, char* encryptedpassword);

/*******************************************************************************
*
* loginEncryptInstallExample - register and use a custom encryption routine
*
* RETURNS: N/A
*/

STATUS loginEncryptInstallExample (void)
{
char* name = "vincent";
char* passwd = "vincent";
STATUS status = ERROR;

/* Register our new encryption routine */

loginEncryptInstall (fixed_sha, 0);
printf ("Registered %s encryption routine. ", shaIdent);

/* Add a new user using this encryption routine */

if (loginUserAdd (name, cryptSha) != OK)
{
printf ("Unable to add new user to system using %s encryption"
"routine [errno = %#x]. ", shaIdent, errnoGet ());

return ERROR;
}
else
{
/* Launch the verification process */

if (loginUserVerify (name, passwd) != OK)
{
printf ("Successfully registered and added a new user "
"with custom encryption routine but password "
"check failed [errno = %#x]. ", errnoGet ());

goto cleanup;
}
else
{
printf ("Successfully used custom encryption routine "
"(routine registration, user creation and "
"verification). ");
}
}

status = OK;

cleanup:

/* Remove user and module; unregister routine */

if (loginUserDelete (name, passwd) != OK)
{
printf ("There was a problem while trying to delete the "
"newly added user during cleanup [errno = " "%#x]. ",
errnoGet ());
status = ERROR;
}

loginEncryptInstall ((FUNCPTR) loginDefaultEncrypt, 0);
return status;
}

/******************************************************************************
* fixed_sha - returns a fixed SHA digest
*
* RETURNS: Always OK
*/

LOCAL STATUS fixed_sha
(
char* password,
char* encryptedpassword
)
{
/*
* IMPORTANT : This test routine should be replaced by a real SHA
* generator. Because of the fixed digest, the current version does not
* perform actual user validation (i.e all passwords are accepted for user
* 'vincent').
*/

strcpy (encryptedpassword, cryptSha);
return OK;
}

Restrict access
Appropriate firewall rules should be implemented to restrict access to any services that use the standard authentication API.

Disable services
Services such as FTP or telnet should be disabled if not needed.

Monitor access
IDS signatures should be implemented to detect brute force attacks to services that use the standard authentication API.

Vendor Information

Vendor	Status	Date Notified	Date Updated
3com Inc	Unknown	2010-06-14	2010-08-04
Actelis Networks	Unknown	2010-06-29	2010-08-04
Alcatel-Lucent	Unknown	2010-06-14	2010-08-04
Allied Telesis	Unknown	2010-06-29	2010-08-04
Alvarion	Unknown	2010-06-29	2010-08-04
amx	Not Affected	2010-06-29	2010-08-04
Aperto Networks	Unknown	2010-06-29	2010-08-04
Apple Inc.	Unknown	2010-06-29	2010-08-04
ARRIS	Unknown	2010-06-29	2010-08-04
Avaya, Inc.	Unknown	2010-06-29	2010-08-04
Broadcom	Unknown	2010-06-29	2010-08-04
Brocade	Unknown	2010-08-03	2010-08-03
Canon	Not Affected	2010-06-29	2010-08-09
Carrier Access	Unknown	2010-06-29	2010-08-04
Ceragon Networks Inc	Unknown	2010-06-29	2010-08-04
Cisco Systems, Inc.	Unknown	2010-06-29	2010-08-04
D-Link Systems, Inc.	Unknown	2010-06-29	2010-08-04
Dell Computer Corporation, Inc.	Unknown	2010-06-29	2010-08-04
Digicom	Unknown	2010-06-29	2010-08-04
DrayTek Corporation	Unknown	2010-06-29	2010-08-04
EMC Corporation	Not Affected	2010-06-14	2010-08-04
Enablence	Unknown	2010-06-29	2010-08-04
Enterasys Networks	Unknown	2010-06-29	2010-08-04
Epson America, Inc.	Unknown	2010-06-29	2010-08-04
Ericsson	Affected	2010-06-29	2010-08-04
Fluke Networks	Unknown	2010-06-29	2010-08-04
Foundry Networks, Inc.	Unknown	2010-06-29	2010-08-04
Gilat Network Systems	Unknown	2010-06-29	2010-08-04
Guangzhou Gaoke Communications	Unknown	2010-06-29	2010-08-04
Huawei Technologies	Unknown	2010-06-29	2010-08-04
Intel Corporation	Unknown	2010-08-03	2010-08-03
IWATSU Voice Networks	Unknown	2010-06-29	2010-08-04
Keda Communications	Unknown	2010-06-29	2010-08-04
Knovative Inc	Unknown	2010-06-29	2010-08-04
Lenovo	Unknown	2010-06-29	2010-08-04
Lucent Technologies	Unknown	2010-06-29	2010-08-04
Lutron Electronics	Unknown	2010-06-29	2010-08-04
Maipu Communication Technology	Unknown	2010-06-29	2010-08-04
Mitel Networks, Inc.	Unknown	2010-06-29	2010-08-04
Motorola, Inc.	Unknown	2010-06-29	2010-08-04
Netgear, Inc.	Unknown	2010-06-29	2010-08-04
Nokia	Unknown	2010-06-29	2010-08-04
Nortel Networks, Inc.	Unknown	2010-07-14	2010-07-14
Polycom	Affected	2010-06-29	2010-08-04
Proxim, Inc.	Unknown	2010-06-29	2010-08-04
Ricoh Company Ltd.	Not Affected	2010-06-29	2010-08-06
Rockwell Automation	Not Affected	2010-07-07	2010-08-02
Samsung	Unknown	2010-06-29	2010-08-04
Shoretel Communications, Inc.	Unknown	2010-06-29	2010-08-04
Siemens	Unknown	2010-06-29	2010-08-04
SMC Networks, Inc.	Unknown	2010-06-29	2010-08-04
TRENDnet	Unknown	2010-06-29	2010-08-04
Tut Systems, Inc.	Unknown	2010-06-29	2010-08-04
Wind River Systems, Inc.	Affected	2010-06-03	2010-08-02
Xerox	Unknown	2010-06-29	2010-08-04

References

http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01_VxWorks_Vulnerabilities.pdf
http://blogs.windriver.com/chauhan/2010/08/vxworks-secure.html
https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033709
http://newsoft-tech.blogspot.com/2010/09/follow-up-on-vxworks-issue.html
http://cvk.posterous.com/how-to-crack-vxworks-password-hashes

Credit

Thanks to HD Moore for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2010-08-02
Date First Published:	2010-08-02
Date Last Updated:	2010-09-02
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	23.62
Document Revision:	42

Original Source

Url : http://www.kb.cert.org/vuls/id/840249

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-310	Cryptographic Issues
50 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Os	Windriver Vxworks cpe:2.3:o:windriver:vxworks:6.8:::::::* cpe:2.3:o:windriver:vxworks:6.7:::::::* cpe:2.3:o:windriver:vxworks:6.6:::::::* cpe:2.3:o:windriver:vxworks:6.5:::::::* cpe:2.3:o:windriver:vxworks:6.4:::::::* cpe:2.3:o:windriver:vxworks:6:::::::* cpe:2.3:o:windriver:vxworks:5.5:::::::* cpe:2.3:o:windriver:vxworks:5:::::::*	8

Open Source Vulnerability Database (OSVDB)

Id	Description
66909	Wind River Systems' VxWorks INCLUDE_SECURITY Functionality Multiple Parameter...
66843	Wind River Systems' VxWorks loginLib Default Hashing Algorithm Weakness VxWorks contains a flaw that may allow an attacker to brute force a known backdoor account over FTP with trivial effort. The issue is triggered in combination with a flaw that allows arbitrary memory access, which allows the backdoor account name to be discovered.

Global Informations

Type	Count
CWE ID(s)	2
CPE ID(s)	8
osvdb(s)	2

	Related
7.8	CVE-2010-2967
7.8	CVE-2010-2966
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)