13-Year-Old Password Security Bug Fixed

arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.

At least it was fixed

[mangu]

How many bugs are there in commercial software that we don't know?

What we do know is that there are many exploits for commercial software. The vendors claim that such exploits only exist because that software is more popular, but this does not explain why Apache doesn't have four times more exploits than IIS

Re:At least it was fixed

[LordLucless]

Uh-huh. Because "In a sign that many eyes don't really make (security) bugs shallow" is such an unbiased opening for the story.

Re:At least it was fixed

And why is that not a reasonable opening for the summary?

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

The correct answer for what makes a product secure: Proper coding practices combined with proper configuration.

IMO, Apache is certainly a better choice for a web server, but my opinion is not based on that fact that it is open source and instead based on the fact that it is actually more secure than IIS. Apache appears to be less often compromised, therefore I trust it more. However, if IIS one day holds the mantle of least compromised, then I will certainly consider it (I'm holding my breath though).

Re:At least it was fixed

[XanC]

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

No, it isn't. In order to reach that conclusion, you'd have to compare it against closed-source code. Do you really believe there aren't now and have never been bugs that old in the closed-source world?

Re:At least it was fixed

[LordLucless]

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

(Emphasis added)

Not unless you have some measurement of non open-source code against which you can compare. Which the OP pointed out . And you (or some other AC, can't really tell you guys apart) flamed him for.

Re:At least it was fixed

Does it matter? Being open source is NOT what makes something secure. Following proper coding practices and being properly configured make a program secure. Open source *may* help a project follow better coding practices... or it may hinder a project by having too many chefs in the kitchen... hard to know.

But I do know that I'm not going to run some software merely because it is open source. I am going to run it because it has demonstrated security in the past.

In other words, I go with what has been proven more secure, based upon vulnerability disclosures and compromises, not based upon misplaced trust in strangers auditing open source code for me.

Re:At least it was fixed

[MobileTatsu-NJG]

How many bugs are there in commercial software that we don't know?

Heh.

Monday:

"Really old bug finally patched in some popular Microsoft software!"

This shows how terrible proprietary software is!

Tuesday:

"Really old bug finally patched in some popular OSS!"

This shows how terrible proprietary software is!

Re:At least it was fixed

[Requiem18th]

In all fairness, software is only as secure as the culture behind it. Everybody using PHP knew of this bug for ages, just, nobody gave a damn. Except those who didn't know that also didn't give a damn.

PHP has never been crazy about security, what else do you expect from a runtime that once let you insert arbitrary variables into the script namespace?

The few people using PHP who care about security that much are using DIY password management anyway.

Re:At least it was fixed

[LordLucless]

based upon vulnerability disclosures and compromises

So the more vulnerabilities the vendor hides, the more you are convinced to buy their software. Sounds like a plan!

Re:At least it was fixed

[Riceballsan]

Well not necessarily, I don't completely agree with his point, but I can't disagree either. If the vendor succesfully hides the vulnerabilities until they are patched, then that is = to a bug in an open source product that wasn't noticed until it was patched. A security flaw in the wild does not go undisclosed completely. The vendor may deny it, but those effected may not (well some of them, it may vary). Fundamentalism is flawed in either direction. Apache is a great example of open source that has worked very well. While say Diaspora was released open source, and was riddled with so many security flaws it was deemed worse security wise then what it was trying to replace (especially sad considering the horrific trackrecord facebook has for security). Open source isn't a magic bullet that guarantees a turd can be changed to gold overnight. While I agree many open source projects have a good track record and a tendency to patch flaws at the "theoretical risk" stage, and many proprietary products tend to wait until systems are actually compromised to lift a finger. Not every proprietary program is flawed, nor every open source program flawless.

Re:At least it was fixed

[LordLucless]

Well not necessarily, I don't completely agree with his point, but I can't disagree either. If the vendor succesfully hides the vulnerabilities until they are patched, then that is = to a bug in an open source product that wasn't noticed until it was patched

Well yes, that's entirely my point. Those bugs you don't know about until they're patched, so it's impossible to factor them into your consideration when evaluating a product. If you're looking at two products, an open source system with 100 open issues, and a closed source with 5, you cannot compare the two based on disclosed vulnerabilities - they're tracking different things. The open source metric is a representation of known bugs. The closed source metric is a representation of known bugs that the developer has chosen to disclose.

Nobody's trying to say open source is a panacea (except possibly the AC, to setup a straw man). What they're saying is that the fact there is an old bug in open source software, doesn't necessarily mean open source is inferior to closed - especially when there's no sure way of knowing about comparable bugs in closed source software.

Re:At least it was fixed

[Gordonjcp]

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

It's not really insecure if there isn't a practicable exploit for it. This bug is more of a "sticky door" - annoying, but not really a big problem in day-to-day use.

Re:At least it was fixed

[tehcyder]

How many bugs are there in commercial software that we don't know?

And how many bugs are there in FOSS software that we don't know? The answer "none, because many eyes..." does not sound so convincing now.

Re:At least it was fixed

[tehcyder]

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

No, it isn't. In order to reach that conclusion, you'd have to compare it against closed-source code. Do you really believe there aren't now and have never been bugs that old in the closed-source world?

No, the usual pro-FOSS argument isn't "FOSS is more secure than closed source software because fewer bugs happen to have been found" it is "FOSS is more secure by definition, because of the many eyes thing."

Re:At least it was fixed

[tehcyder]

What they're saying is that the fact there is an old bug in open source software, doesn't necessarily mean open source is inferior to closed - especially when there's no sure way of knowing about comparable bugs in closed source software.

No, but conversely it also doesn't necessarily mean that open source is superior to closed if you can't directly compare them.

Re:At least it was fixed

[LordLucless]

Which is fine, since nobody was claiming that

Re:At least it was fixed

[cduffy]

The answer "none, because many eyes..." does not sound so convincing now.

Who ever said "none, because many eyes..." rather than "fewer, because many eyes..."?

It's a strawman. Nobody sensible ever made that claim.

Re:At least it was fixed

[MobileTatsu-NJG]

Ah, the astroturfing MS fanbois are at it again....

You can tell we're in for an intelligent discussion already.

How comes Apache doesn't have four times more exploits than IIS despite having four times the market share?

Did you ever stop and think about why people mess around with these exploits to begin with? Have you been paying attention to the news lately?

Sadly /. has become infested by high-level UID that keep on hating on OS X and Linux and it's really pathetic to see you MS astroturfing fanbois getting upvoted.

Are you done acting like you're the voice of reason alone in a sea of bias?

Re:At least it was fixed

[del_diablo]

Mod up!

Re:At least it was fixed

[spauldo]

Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

No, it's not. It's a data point. It should be considered along with other data points (namely, if any bugs have been found because of open source methodology) to craft an argument.

If it can be shown that the "many eyes" theory has not solved any security issues, then you have an argument against it. One example is not enough.

Not unprecedented

[slimjim8094]

http://www.osnews.com/story/19731/The-25-Year-Old-UNIX-Bug

These kinds of stories make me nervous, because I always assume that crackers know about these and are using them secretly.

Though this is obviously not a OSS issue. Were this Windows, it might not have been found at all.

Re:Not unprecedented

[martin-boundary]

Exactly. In Windows, you'd simply be told to reboot frequently enough so the password bug doesn't get triggered :)

Re:Not unprecedented

[blair1q]

I always assume that crackers know about these and are using them secretly.

And when caught at it publish everything they have and blame you for not securing your system.

Re:Not unprecedented

[joabjon]

Certainly not unprecedented:
17-year-old issues in NTLM not many people know about (now fixed)
http://www.ampliasecurity.com/research/OCHOA-2010-0209.txt
http://www.ampliasecurity.com/research/NTLMWeakNonce-bh2010-usa-ampliasecurity.pdf

Re:Not unprecedented

[dudpixel]

Exactly. In Windows, you'd simply be told to reboot frequently enough so the password bug doesn't get triggered :)

Nah, windows already reboots frequently enough. Its now a "feature".

Re:Not unprecedented

[satuon]

If crackers were using them a lot and there were viruses in the wild that were using them, then people would have quickly found out about those bugs and patched them. I think the reason they stayed hidden for such a long time was nobody really exploited them.

Re:Not unprecedented

[daid303]

If you read the report, you'll notice that the bug introduces a slight incompatibility and a slight reduction in password strength if you use the 8th bit (read none-latin) characters. With blowfish (one of the many possible hash functions)

Yes, it's a bug. Yes, it needs to be fix. No, it's not OMG we're going to be pwned!

Re:Not unprecedented

[AliasMarlowe]

Certainly not unprecedented:
17-year-old issues in NTLM not many people know about (now fixed)
http://www.ampliasecurity.com/research/OCHOA-2010-0209.txt
http://www.ampliasecurity.com/research/NTLMWeakNonce-bh2010-usa-ampliasecurity.pdf

And not forgetting the arithmetic error in Windows Calculator, which first affected the calculator in Windows 1.0 (November 1985) and persisted until Windows 98 (June 1998): almost 13 years. The version for Windows 3.x was not actually fixed until 2004 as a download from Microsoft, about 14 years after Windows 3.0 was released.

The existence of exactly the same bug in OS/2's built-in Windows subsystem (definitely OS/2 2.0, 2.1, 3.0; I never used 4.0) was evidence that IBM was using exactly the same code for Win-OS/2 as Microsoft used for Windows. Here's an example calculation for anyone who has a Windows 3.x or similar ancient version still running:
3.11-3.1=
The buggy calculator gives 0.0 as the answer. The existence of this bug was widely known, but ignored by Microsoft for years.

Re:Not unprecedented

[sjames]

This one certainly needed fixing, but probably had a fairly small impact. Few passwords have the 8th bit set in any of the characters.

Re:Not unprecedented

[JasterBobaMereel]

If you use Blowfish
If you use this library
If you use extended chars in a password

then sometimes (1/8 chance) a small part of hash is ignored reducing the strength slightly ...

A lot of if's to not very much effect ...

Re:Not unprecedented

[dudpixel]

laugh man, its good for you. clearly I was just poking fun at it.

I use windows 7 at home and I agree its pretty stable. However if you want to argue the point, windows DOES still need rebooting after certain software installations and settings changes. Far more often than the equivalent operations under MacOS or Linux.

A 13 Year Old Bug ...

[WrongSizeGlass]

A 13 year old bug is no match for a 13 year old hacker.

Re:A 13 Year Old Bug ...

[Chris+Burke]

That's what they meant by "13-year-old password security bug"! Turns out you could get access to any system by screaming "Cockfag!" into the microphone.

Uh Oh...

[steevven1]

Slashdot might be getting a lot of unwanted traffic from Google search queries containing "13-year-old" now...

Re:Uh Oh...

[JWSmythe]

    You know, it's weird, but ya, it'll get you traffic.

    One of the things I do is run a mainstream news site. In that, pedophiles get bused for all kinds of things. Those end up being keyword rich pages that seem to come up for all kinds of fucked up variations of what pedophiles look for. There's nothing like reviewing your logs to have an amazing disgust for society as we know it.

    There is only one thing I feel good about. On some keywords and phrases, we come up in the top 3 results. So the pedophiles may be looking for underage smut, but instead they're presented with news stories about other pedophiles going to jail.

    It seems like an acceptable solution to me. Pollute their searches with so many non-smut sites, preferably with news stories about long prison terms, or deaths by the hands of other inmates. Maybe it will help encourage them to make their best attempt at winning a Darwin Award.

Re:Uh Oh...

[tehcyder]

There is only one thing I feel good about. On some keywords and phrases, we come up in the top 3 results. So the pedophiles may be looking for underage smut, but instead they're presented with news stories about other pedophiles going to jail.

Which presumably just makes them into more careful pedophiles who are harder to catch. Good work!

So if I understand this right?

[0123456]

I can't easily tell exactly what the bug is here, but it appears to require that you have your password algorithm set to blowfish and use passwords with non-ASCII characters? That doesn't seem a likely combination on any modern Linux installation.

Re:So if I understand this right?

[blair1q]

In the US maybe.

Though, yes, it implies you're using accented characters and have blowfish as your algorithm.

So it's a vulnerability enabled by a very small portion of a very small population.

Which is why it lasted for 13 years with nobody caring much, except academically.

But, if you knew you could use 8-bit characters, and you generated your passwords randomly, this could affect half of your password space. Which could be significant if your passwords were kept in compartmentalized files that themselves are accessible only to different authorized people. Bureaucracy can get very hairy, in such circumstances.

Re:So if I understand this right?

[Obfuscant]

I read the linked comment (not much of a description there), but it does appear that it is triggered by "8 bit characters" in passwords.

It talks about "pound sign" as the test, but claims that it is "\xa3 in C". I didn't know that C had a different definition for ASCII characters than ASCII does, and in my ASCII tables the octothorpe is 0x23. Ahh, maybe a language difference, and the "british currency symbol" is what he is referring to.

Or maybe this points out the error of relying on non-standard characters for anything. According to my Web Design nutshell book, \&#163 is the British pound symbol, but apparently FF3 doesn't know it (or /. strips it.) Here are two in a row: -- I see nothing. That's defined in ISO 8859-1, however, and not ASCII.

In any case, it looks like if you use standard ASCII characters in your password you are not a target for this bug.

Re:So if I understand this right?

[Obfuscant]

But, if you knew you could use 8-bit characters, and you generated your passwords randomly, this could affect half of your password space.

If you generate your passwords randomly, you are going to have a hard time entering them from a lot of keyboards and OS. For example, I don't seem to be able to enter this \xa3 "pound sign" on this OS using the "alt+0163" Windows hack.

In any case, if you cut the number of selections for each character in a password in half, you cut your password space by 2^n, where n is the number of characters in your password.

Re:So if I understand this right?

[simcop2387]

They mean the british pound sign, not the octothorpe # . Ain't language fun?

Re:So if I understand this right?

[hattig]

Slashdot strips it, it's a known bug with Slashdot since 1998, and still not fixed. What's that? 13 years? I think the HTML works ... £

It also appears that if this library was used for any other hashing, that this bug would arise. And if that included binary files then it almost certainly would have been triggered.

The main issue is that it consistently generates the wrong hash, so that it actually appears to work fine.

However the bug fix means it now generates the correct hash. Which is going to be different. So you may have websites with significant numbers of the user base now unable to log in, for example (I am certain that accented characters will be popular in passwords in Europe, for example, and let's not even consider other areas of the world). I also wonder how many Mac users use the (S with a circle in the middle) symbol in a password. Which of course raises support queries, which costs money/time to handle ...

Re:So if I understand this right?

[tehcyder]

Slashdot strips it, it's a known bug with Slashdot since 1998, and still not fixed. What's that? 13 years? I think the HTML works ... £

I can't believe an open source coded site like slashdot could have a 13 year old bug.

Re:So if I understand this right?

[blair1q]

keyboard?

and I meant hyperspace. damn autocollate.

Re:So if I understand this right?

[JasterBobaMereel]

I have a key for that (Shift 3) ... perhaps I am one of few people who don't live in the USA ?

hmmm

[nomadic]

In a sign that many eyes don't really make (security) bugs shallow

Also proof that security through obscurity works.

Re:hmmm

[arth1]

Also proof that security through obscurity works.

Evidence, perhaps, but certainly not a proof, unless you can prove that black hats haven't exploited this in the last 13 years.

Contrary to popular belief, most black hats aren't in it for the fame, but for other reasons including personal satisfaction, thrill and in some cases monetary gains. And when you're not in it for the fame, you don't disclose what you've found -- you guard the secret carefully so you can continue to exploit it. Yes, for thirteen years. I know of active backdoors far older than that.

Re:hmmm

[Jonner]

In a sign that many eyes don't really make (security) bugs shallow

Also proof that security through obscurity works.

How is this proof of that? For all we know, crackers have been exploiting this vulnerability for years.

Re:hmmm

[mangu]

when you're not in it for the fame, you don't disclose what you've found -- you guard the secret carefully so you can continue to exploit it. Yes, for thirteen years

What you are saying is that there are worms and viruses out there using it, there are botnets based on that bug? Interesting, why has no one noticed anything so far?

Re:hmmm

[Runaway1956]

You're doing at least as well as the "intelligence" communities. Seems that all their secrets get leaked nowadays. ;>)

Re:hmmm

[arth1]

Exploits are more than botnets and viruses. There are people who log in to a former employee's server every week, copies a few documents, and leave without a trace. For years.
Some spy on exes, bosses or celebrities just for the thrill.
Some skim a little CPU power or storage here and there.
Some do single account transfers that aren't discovered.
Others simply enter machines because they can, again without running botnets and viruses.

Re:hmmm

[mangu]

There are people who log in to a former employee's server every week, copies a few documents, and leave without a trace. For years.

And those, invariably, use social engineering. You don't break a password hashing function when all you have to do is read the post-it stuck under the table.

Re:hmmm

[Architect_sasyr]

Sometimes you don't want to put your fingers anywhere near the site, be it for building security or whatever the reason. The continued proliferation of people who consider that you can just beat someone with a rubber hose for a password, or read it off a post it note so who would bother breaking this algorithm are entirely unhelpful to fostering a secure environment. Just because there are easy methods of physical access, doesn't mean every cracker out there is using them, just like not every cracker out there runs a giant DDoS botnet.

90% of the time I will perform a pentest completely over the wires, just to prove this exact point.

Re:hmmm

[bluefoxlucid]

This is a slight reduction in password strength if you're using Blowfish and have a british pound sterling sign in your password, rather than a normal password and using the standard salted MD5 hash or deliberately changing from MD5 to SHA1, which is the only likely change most people would make. It almost never happens and doesn't create an instant break when it does; it's effectively a non-issue, but you know.. if it's loose, tighten it up, I don't care if it's going to fall off or not.

Re:hmmm

[sjames]

More like bugs that are rarely triggered enough don't cause much trouble.

Re:without anyone noticing it?

The 'shut up and submit a patch, bitch' excuse really sucks in the long term.

Re:No shit

[mangu]

It only holds water if people are actively looking at the code and noticing the bugs, which in many cases they are not.

But you must admit that in some cases people are looking at the code, while in commercial code no one but those who developed it can take a look.

If you have ever developed code you must have noticed how often you spend hours looking at your code trying to find a bug and then someone comes looking over your shoulder and points out the obvious error.

Re:No shit

[Meshach]

... this is Slashdot and ESR is a God who can never be wrong.

When did ESR get elevated to Linus' level?

Come on, it's PHP

[A+beautiful+mind]

What the fuck did you expect, excellent design practices and high quality code?

Re:Come on, it's PHP

[LordLucless]

Uh, crypt_blowfish is pretty definitely not written in PHP. You know you can't just scan the summary for buzzwords and draw conclusions without actually reading and comprehending it don't you?

Re:Come on, it's PHP

[Simon80]

Thanks for making me laugh, but at a glance, it looks like the bug is actually in this package, not PHP.

Re:Come on, it's PHP

[A+beautiful+mind]

I'm an advanced slashdot user, I don't even read the summary anymore.

Re:Come on, it's PHP

[Firehed]

To be fair, it's hardly PHP's fault that the shared library's implementation was broken. The primary benefits of using a library (not reinventing the wheel, wisdom of many, etc.) are generally outweighed by occasionally inheriting one of their bugs. Especially since you also inherit their bugfixes. While the core PHP team is actually quite well accomplished at security (even if PHP enables any idiot to make insecure sites by virtue of being easy to learn), I'd still rather them use widely adopted libraries than come up with their own implementation.

Re:Come on, it's PHP

[kat_skan]

What the fuck did you expect, excellent design practices and high quality code?

Honestly? A second function named blowfish_real_hash_string.

Re:Come on, it's PHP

[JohnnyBGod]

You win, sir! Well done. Somebody mod him up!

Re:Come on, it's PHP

[bluefoxlucid]

are generally outweighed? You mean you shouldn't do it?

crypt_blowfish

[TopSpin]

The common thread among these systems (PHP, (Open)SUSE, etc.) is the use of crypt_blowfish, a flawed implementation of the blowfish hash function. Constructing passwords that collide is easy due to a sign extension bug. A SUSE user can observe the use of blowfish in /etc/default/passwd, where the default value of CRYPT_FILES is 'blowfish'.

To be clear, the problem is a flawed implementation; the blowfish hash algorithm itself remains sound.

The PHP crypt() function supports several common hash algorithms including blowfish. The PHP 'documentation' implies that DES is default. Anyone care to speculate on the likelyhood of widespread blowfish use by public sites?

Re:crypt_blowfish

Just to clarify something: there is no "blowfish hash function". Blowfish is just a (symmetric) block cipher with a relatively expensive (and memory-hungry) key schedule.

Although it's true there are several ways of turning a block cipher into a hash function (via Merkle-Damgaard construction, for instance), they are obviously not the same.

In a nutshell: there is no "blowfish hash function", but a "hash function based on Blowfish".

Re:crypt_blowfish

[szquirrel]

Anyone care to speculate on the likelyhood of widespread blowfish use by public sites?

Wide. Many major PHP projects have been moving toward Openwall's PHPass algorithm that uses Blowfish as its preferred hashing algorithm. Note that even with this bug it's still better than the unsalted MD5 or SHA1 hashes that most projects were using previously. Today any of those old hashes can be brute-force cracked by a $200 GPU in about a day.

Re:crypt_blowfish

[MikeBabcock]

Allowing the use of single DES should also be considered a security bug.

Re:crypt_blowfish

[jonescb]

OpenSSL has a blowfish cipher, which I assume doesn't have the same bug. If your system has OpenSSL, but not OpenWall, would PHP use OpenSSL?
The OpenWall site says that PHP 5.3 uses it, but is it included in the PHP binary so OpenSSL isn't an option?

17yr-old bug in NTLM not many people knew about

http://www.ampliasecurity.com/research/OCHOA-2010-0209.txt
http://www.ampliasecurity.com/research/NTLMWeakNonce-bh2010-usa-ampliasecurity.pdf

Not used in reasonable systems anyways

[gweihir]

These moved from DES to MD5 passwords a long time ago and were never vulnerable to this.

Re:Not used in reasonable systems anyways

[MikeBabcock]

Many many moons ago I seem to recall the documentation saying not to use the passwd function and to use MD5 for password storage anyway.

Re:Yikes, how do you roll out a fix for that.

[Firehed]

Have a setting in the tools that call it to use the legacy/broken implementation, and enable it by default in the next patch. See: MySQL old passwords. Or some sort of option that you can set on the function, similar idea.

The better but less compatible way is to put a huge warning on the patch, telling people that if the password doesn't match, check again with the USE_BROKEN_BLOWFISH_IMPLEMENTATION flag passed into the function and if that matches, update your data with the good hash and continue on as normal. That will inevitably piss off a lot of people on shared hosting and/or unmaintained applications but from a security standpoint it's the better option.

no reason to conclude open source is not secure

[binarstu]

Concluding, from this bug, "that many eyes don't really make (security) bugs shallow" is absolutely not justified. This is a single anecdote (sample size = 1), and there is no good or easy way to compare this to what would have happened had the code been closed. One could just as easily claim that if the code were not open, it would have been 10 more years before the bug was uncovered.

Re:no reason to conclude open source is not secure

[tangent]

The famous quote doesn't apply to unidentified security flaws.

The point of the quote is that when someone points out buggy behavior, the many eyeballs will quickly pierce to the heart of the bug and find a way to fix it. With fewer eyes, really nasty bugs often remain unfixed long past the time they are first identified because none of the brains behind the few eyeballs that have looked at it have figured out the fix yet.

The nature of most security bugs is that their existence is not obvious. Most software with security flaws performs its intended function as long as it is run within expected bounds. There is nothing for the many eyeballs to attack until someone tries pushing the software into its operational gray areas, then notices that it does something unwanted or unexpected. As soon as that happens, the quote applies: security holes in open source software are typically fixed soon after being identified.

Re:no reason to conclude open source is not secure

[Steeltoe]

You sure? Because I could've sworn security is nothing without taking into account unidentified security flaws.

Or else, you could argue the best security is blinding your eyes, screaming: "LALALALALALALA, no bugs heeere!"

This is why privileged account is so silly to be logged in to, something Windows Vista and 7 tries to fix using UAE. Unix has been superior in that department since day 0 using unprivileged accounts by default (ie. in the default Ubuntu-install). Even if there is a vulnerability, ie. in the Firefox UI or something similar, you're less likely to be seriously hit, by using an unprivileged account that doesn't automatically give exploits full root privileges.

Silly Microsoft. Yes, we blame them for every worm and trojan that exploit these silly security decisions.
However, security is a HARD problem, more of an ongoing process than something you can attach to any product.
Anyone serious about security, have to spend a lifetime studying and working for it.

Re:no reason to conclude open source is not secure

[TangoMargarine]

To be fair, Ubuntu by default only requires you type in your user password for that kind of thing. Combine with one of those "click yes to anything" users and you really don't have any extra security other than the commonly-cited "less malware if not on Windows" angle.

Does anybody know what the deal is with Ubuntu's hidden/disabled root account? I.e., what exactly they did and why?

Umm, It's not an official fix

[sdguero]

It appears that whoever wrote the summary didn't read the links they provided:

"I am going to provide an official fix for crypt_blowfish (likely the one-liner plus added tests). I thought I'd bring the issue up on oss-security sooner rather than later."

So, the bug appears to have been found today and the developer has a one liner solution but hasn't released a patch. I think the summary did a piss poor job talking about what is affected by the problem too... specifically crypt_blowfish, which i know my company uses for a few things. It is interesting to know that this hash is now far weaker than originally thought until it gets patched (which will prolly take a long time to make it into major distros).

Anyway, i'm done bitching, definitely a story worthy of /. I just think the summary was trying to tie in too much (old bugs blah blah) and misrepresented the impact and fix.

Re:Umm, It's not an official fix

[solardiz]

We're getting close to an official fix, which includes a quick self-test on every use (not just by "make check"), with both 7- and 8-bit chars: http://www.openwall.com/lists/oss-security/2011/06/21/2

Re:Umm, It's not an official fix

[sdguero]

MOD PARENT UP!

Importance of Clarity

[rueger]

Seems to me that there are at least two different questions here, and that most of these comments confuse them.

The first, and perhaps more intriguing, is how a bug like this could sit undetected for years. Regardless of whether it's proprietary or Open Source software, bugs will remain until someone, somewhere finds them.

The second, and this is where Open Source arguably has an advantage, is how soon a vulnerability is patched once it has been found - in this case pretty fast.

And of course whether the patch gets applied to end users' systems.

Re:Importance of Clarity

[Chuck+Chunder]

The first, and perhaps more intriguing, is how a bug like this could sit undetected for years.

It does seem odd that people haven't run fuzzed data against a number of different implementations of blowfish and not noticed differing output. I'd have thought that would be a fairly normal thing for someone developing a crypto algorithm implementation to do.

Re:Importance of Clarity

[solardiz]

It does seem odd that people haven't run fuzzed data against a number of different implementations of blowfish and not noticed differing output. I'd have thought that would be a fairly normal thing for someone developing a crypto algorithm implementation to do.

Of course. But there are reasons why this didn't happen to a sufficient extent in this case. None of these reasons are valid excuses. There are lessons to learn from this.

There were test vectors, and the implementation behaved exactly like OpenBSD's on those. The code was in John the Ripper, and it was correctly cracking password hashes from OpenBSD. So it felt like the code was working just as it should have, because it actually did (on the tests that were thrown at it). There was no expectation that specifically 8-bit characters would cause any difference.

As to fuzzing vs. OpenBSD's implementation, I wish I did that, and I wish I included 8-bit characters. I felt that JtR essentially was an equivalent of this test, due to people using it to crack password hashes from OpenBSD. The code existed in JtR for 2-3 years before I made it available separately for reuse. Apparently, 8-bit characters in weak passwords (and in wordlists) were just too uncommon for anyone to notice any passwords not getting cracked where they should have been.

Blowing things out of proportion

A flaw in an obscure blowfish implementation that isn't used by any of the major distributions is not the dire situation implied here (considering SUSE basically irrelevant anymore). This incident actually reaffirms the many eyes philosophy. Few eyes had the motive to look at this particular code, so the flaw was simply not seen.

Re:Blowing things out of proportion

[livingboy]

Guess what, I have currently one laptop and two desktops running the latest openSUSE, so for me this bug and platform is not irrelevant.

Re:hunter2

[guybrush3pwood]

Everybody tells me they still see asterisks ... :shrug:

You posted as AC because you're embarrassed about linking to bash.org, right?

So then the real question is!!!

[EETech1]

So then the real question is... When was it fixed in the "BSD's"???

Ducks:)

Re:So then the real question is!!!

[ifrag]

Well, OpenBSD does have a custom branch of Apache =)

I think it's a fair point though, the BSDs seem more focused on being clean and correct, where Linux is more focused on extending functionality.

easily avoided

[sithlord2]

Do people still use the same salt for all hash-functions? I assume this can be easily fixed if you just use an unique value (like the username) as a salt.

Re:hunter2

[Eunuchswear]

Hey, how did they know my password?

Those Lulz guys...

[Timtimes]

are gonna be so pissed. Enjoy.

Here's what's affected

[szquirrel]

The impact of this is actually pretty wide. Crypt_blowfish has been gaining popularity as a hashing algorithm in PHP thanks to Openwall's PHPass framework. Four years ago most PHP projects that I know were still using MD5 or SHA1 to hash passwords. Today those MD5 and SHA1 hashes can be brute-force cracked by free software running on a $200 GPU in a matter of days if not hours. So even a buggy version of Blowfish is still better by far.

So yeah, it's a wide-ranging bug but not a world breaking one. For starters it only affects passwords that use 8-bit characters, so passwords typed by anyone using a US-English keyboard still produce the same hashes as the correct Blowfish implementation.

For passwords of length n*4-1 (3, 7, 11, 15, ...), 8-bit characters in certain positions will result in some characters being ignored by the hash function. This makes it possible (though still not easy) to produce a collision, i.e. multiple different passwords that result in the same hash.

It's bad, but I want to stress that using even a buggy crypt_blowfish for password hashing is still a quantum leap over the single-hashed MD5 or SHA1 that you were seeing literally everywhere in the PHP world just a few years ago.

Re:Here's what's affected

[solardiz]

Was I the only one who read that as PHP ass framework?

No, a lot of people read it like that, and this word play was deliberate - it actually helps the marketing by attracting extra blog posts ("hey, I found something stupidly named" and the like). ;-) However, the official spelling is "phpass", with no caps, where "pass" is for password or pass (successful authentication).

I previously made a similar spelling joke in naming popa3d, a POP3 server. Russians get this one.

As to the bug, as other people noted the typical alternatives to not using phpass and crypt_blowfish would have been far worse. This is not an excuse. I do feel embarrassed for the bug. But I am also being realistic such that I and others learn the right lessons from this.

In practice, most uses of phpass that I am aware of don't actually use crypt_blowfish (and thus are not affected) - those choose to use phpass' "portable hashes" instead. For passwords without 8-bit chars, those are weaker than crypt_blowfish, but they do avoid the bug. (And with 8-bit chars it is not obvious which are weaker, even despite of the bug.)

(Apparently, I forgot to submit this comment the first time around. To avoid re-typing, I ptrace(2)-dumped my Firefox process memory to a file, then grepped it for "deliberate" - and here the comment is. I am used to doing things like that, e.g. when investigating abusive processes on compromised shared hosting accounts of customers. Maybe someone will find this tip useful or curious.)

Re:No shit

[tehcyder]

It only holds water if people are actively looking at the code and noticing the bugs, which in many cases they are not.

But you must admit that in some cases people are looking at the code, while in commercial code no one but those who developed it can take a look.

If you have ever developed code you must have noticed how often you spend hours looking at your code trying to find a bug and then someone comes looking over your shoulder and points out the obvious error.

So you only the specific developer who writes a piece of code gets to look at that code in commercial software? There is no review or management process whatsoever?
In that case, commercial software is certainly more error prone.

reduced entropy of hashed passwords

[doperative]

"Gawker used this broken implementation, which replaced all non-ascii characters with question marks prior to hashing". link

"Versions of jBCrypt before 0.3 suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters.

"An incorrect encoding step transparently replaced such characters by '?' prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length". link

Didn't anyone ever test the algorithm to see if if functioned as designed, as in producing unique hashs for very similar passwords. Would be most important as part of an encryption suite ..

It's true

[Cro+Magnon]

Open source doesn't guarantee the code will get looked at. However, closed source does guarantee that it WON'T get looked at.

Re:No shit

[cduffy]

Parent said "those who developed it" (the organization), as opposed to "the individual who developed it". One set is doubtless larger than the other.

More to a point -- almost every commercial organization I've been in has had one or two reviewers for each patch. Almost every well-organized open source project I've been in has had patches posted to an open mailing list that everyone is encouraged to review, and then required explicit approval from one or two individuals for merge.

You tell me which of those is the stronger process.

Re:Ulrich Drepper was right

[solardiz]

It seems like Ulrich Drepper was right opposing, in rather harsh words, my suggestions to include bcrypt in glibc. My bad.

I also briefly thought of where we would be if Ulrich accepted bcrypt into glibc. I have several points to make:

1. It is likely that adjusting the crypt_blowfish code to glibc conventions would happen to remove the bug - just like it happened with Perl's Crypt::Eksblowfish (it's based on crypt_blowfish, but the bug is gone). Yes, this does mean that those coding conventions are maybe superior, although it is easier for them to be such when only a more limited number of platforms is considered. There is a lesson for me to learn here.

2. bcrypt is not only crypt_blowfish. glibc could also use OpenBSD's code (lacking this bug) if it looked more suitable by whatever criteria.

3. I just took another look at Ulrich's SHA-crypt.txt, sha256crypt.c, and sha512crypt.c. I don't see any 8-bit characters in passwords in the test vectors. Unless I have missed those, it looks like a bug in SHA-crypt causing similar misbehavior would go unnoticed. No, I do not find it likely that such a bug exists there, but then I also did not find it likely for crypt_blowfish. Anyone wants to test and confirm that there's no 8-bitness bug in SHA-crypt? Please do. But what to test Ulrich's SHA-crypt against? Does Solaris use the same code or a reimplementation? (I don't know.) If it's the same code, and no reimplementation exists, then you'd have to try causing collisions or something like that, perhaps with low "rounds" (to make this test reasonably quick). Or create that reimplementation for testing. (BTW, I did the latter in phpass, for testing the correctness of my implementation of its "portable hashes".)

4. SHA-crypt is reasonably good, especially for acceptance due to its use of NIST-approved SHA-2 family functions. However, it does have its drawbacks. bcrypt turned out to be GPU-unfriendly, whereas we should see reasonably efficient implementations of SHA-crypt for GPUs soon (this is being worked on and I see no major obstacles). In neither case a GPU is usable for password hashing on an authentication server (there's too little parallelism in one instance of a bcrypt or SHA-crypt hash computation), even if you had a GPU there, so GPU-unfriendliness is an advantage of bcrypt if you compare it against SHA-crypt.

5. Finally, there have been plenty of security bugs in glibc.

Re:No shit

[bluefoxlucid]

not to mention people who manage to get paid for the hobby of pointing out everyone else's mistakes...

Bug "half-life"

[Dr.+Manhattan]

"Many eyes" doesn't solve everything, and nobody claimed it did. One thing it does do is shorten the 'half-life' for bugs to be found. Bugs tend to be found faster when many eyes are looking at the source. Some can remain for a long time - obviously - but according to every metric I've seen, open-source code tends to have noticeably fewer bugs than proprietary code.

Re:without anyone noticing it?

[The+Archon+V2.0]

The 'shut up and submit a patch, bitch' excuse really sucks in the long term.

Actually, it just really sucks overall.