View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001283bareos-coreGeneralpublic2020-12-05 13:032020-12-05 13:03
Reporterrugk Assigned To 
PriorityhighSeverityfeatureReproducibilityalways
Status newResolutionopen 
Product Version19.2.8 
Summary0001283: Remove insecure MD5 hashing
DescriptionYou use/provide CRAM-MD5 hashing:
https://github.com/bareos/bareos/blob/819bba62ebdadd2ac0bd773ac8d26f4f60f5d39e/python-bareos/bareos/util/password.py#L51

However MD5 is easily brute-forcable nowadays, vulnerable to an (active) MITM attack and has many more weaknesses:
https://en.wikipedia.org/wiki/CRAM-MD5#Weaknesses

And it has been deprecated since 2008.
https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00
Additional InformationThe linked RFC recommends e.g. SCRAM as an alternative.

AFAIK you use TLS, which should mitigate this problem, but then such an additional authentication is also quite useless here.
You may consider, if appropriate for your use case and not already done. using password stretching hashes (PBKDF, Argon2 etc.) on the server for a secure storage or possibly some kind of private-public-key authentication scheme.
These are only ideas for the future though. For now, just remove legacy and insecure algorithms, or – at least – mark them as deprecated as you should have done in 2008! At most, they can give a false sense of security.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-12-05 13:03 rugk New Issue