Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

Bouncy Castle Bug Puts Bcrypt Passwords at Risk

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,544
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
A high impact vulnerability has been discovered in a popular Java cryptography library which could allow attackers to more easily brute force Bcrypt hashed passwords.

CVE-2020-28052 is an authentication bypass bug in the OpenBSDBcrypt class of the widely used Bouncy Castle library.

By exploiting it, attackers can effectively bypass password checks in applications using the Bcrypt algorithm for password hashing, explained Synopsys. Although attack complexity is rated high, so is the potential impact on confidentiality, integrity and availability, the vendor claimed.

“An attacker must brute force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1000 attempts,” it explained.

“Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.”

The flaw was disclosed to Bouncy Castle on October 20 and fixed in early November, with an advisory published yesterday.

However, 91% of organizations using the at-risk version of Bouncy Castle thus far haven’t patched, according to Sonatype.

CTO Brian Fox claimed that the popular cryptographic Java library is used by developers across 26,000 organizations to secure their applications, and has been downloaded over 170 million times in the past 12 months alone.

This makes it a potentially serious supply chain risk.

“Recent headlines about the massive SolarWinds attack highlighted the importance of software supply chain security and how easy it is for a single vulnerability to be distributed across multiple organizations, from government to security firms,” Fox argued.

“Ensuring the software you’re running across a business is built upon the most secure, updated components, requires maintaining a clean software bill of materials which automatically monitors for updates or malicious packages.”
 
Ad End 1 February 2024
Top