View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001283 | bareos-core | General | public | 2020-12-05 13:03 | 2020-12-05 13:03 |
Reporter | rugk | Assigned To | |||
Priority | high | Severity | feature | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 19.2.8 | ||||
Summary | 0001283: Remove insecure MD5 hashing | ||||
Description | You use/provide CRAM-MD5 hashing: https://github.com/bareos/bareos/blob/819bba62ebdadd2ac0bd773ac8d26f4f60f5d39e/python-bareos/bareos/util/password.py#L51 However MD5 is easily brute-forcable nowadays, vulnerable to an (active) MITM attack and has many more weaknesses: https://en.wikipedia.org/wiki/CRAM-MD5#Weaknesses And it has been deprecated since 2008. https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 | ||||
Additional Information | The linked RFC recommends e.g. SCRAM as an alternative. AFAIK you use TLS, which should mitigate this problem, but then such an additional authentication is also quite useless here. You may consider, if appropriate for your use case and not already done. using password stretching hashes (PBKDF, Argon2 etc.) on the server for a secure storage or possibly some kind of private-public-key authentication scheme. These are only ideas for the future though. For now, just remove legacy and insecure algorithms, or – at least – mark them as deprecated as you should have done in 2008! At most, they can give a false sense of security. | ||||
Tags | No tags attached. | ||||
bareos-master: impact | |||||
bareos-master: action | |||||
bareos-19.2: impact | |||||
bareos-19.2: action | |||||
bareos-18.2: impact | |||||
bareos-18.2: action | |||||
bareos-17.2: impact | |||||
bareos-17.2: action | |||||
bareos-16.2: impact | |||||
bareos-16.2: action | |||||
bareos-15.2: impact | |||||
bareos-15.2: action | |||||
bareos-14.2: impact | |||||
bareos-14.2: action | |||||
bareos-13.2: impact | |||||
bareos-13.2: action | |||||
bareos-12.4: impact | |||||
bareos-12.4: action | |||||
Date Modified | Username | Field | Change |
---|---|---|---|
2020-12-05 13:03 | rugk | New Issue |