Date: Sun, 17 Dec 2017 15:17:45 +0100 From: Stefano Brivio <sbrivio@...hat.com> To: Raphael Geissert <atomo64@...il.com> Cc: oss-security@...ts.openwall.com, security@...atype.com Subject: Re: Sonatype Nexus Repository Manager 2.x weak password encryption On Sun, 17 Dec 2017 13:53:47 +0100 Raphael Geissert <atomo64@...il.com> wrote: > Hi, > > The Nexus Repository Manager in at least version 2.14.5  (latest of > the 2.x series), stores the LDAP bind password in an on-disk file > using PBE (bouncy castle's implementation of PBEWithSHAAnd128BitRC4). > > This is all great except for: > - it using only 23 iterations > - it using a hard-coded and weak password > > Therefore offering as much protection as a rot13 would. > > Given that the same PasswordHelper containing the weak password is > present elsewhere in the code, it is very likely that this weak crypto > issue affects other passwords stored by Nexus: > > - components/nexus-core/src/main/java/org/sonatype/nexus/configuration/PasswordHelper.java > - components/nexus-security/src/main/java/org/sonatype/security/configuration/source/PasswordHelper.java > > It appears that this code is no longer used by the 3.x series. > > FWIW, the on-file password is: > > base64(SALT_SIZE || SALT || PBE_OUTPUT ) > > SALT_SIZE always being 8 (hard-coded). > > N.b. I'll be filing a CVE request in a moment. > N.b. I have not contacted sonatype. I couldn't find an email address. The page at https://www.sonatype.com/contactus says: 1. Send urgent or sensitive reports to security@...atype.com. 2. Use our public key to keep your message safe. 3. Provide us with a secure way to respond. 4. We’ll get back to you as soon as we can. Usually within 24 hours. >  https://help.sonatype.com/display/NXRM2/2017+Release+Notes >  https://github.com/sonatype/nexus-public/blob/nexus-2.x/components/nexus-ldap-common/src/main/java/org/sonatype/security/ldap/upgrade/cipher/DefaultPlexusCipher.java#L64 >  https://github.com/sonatype/nexus-public/blob/nexus-2.x/components/nexus-ldap-common/src/main/java/org/sonatype/security/ldap/realms/persist/DefaultPasswordHelper.java >  https://github.com/sonatype/nexus-public/blob/nexus-2.x/components/nexus-core/src/main/java/org/sonatype/nexus/configuration/PasswordHelper.java >  https://github.com/sonatype/nexus-public/blob/nexus-2.x/components/nexus-security/src/main/java/org/sonatype/security/configuration/source/PasswordHelper.java > > Cheers, -- Stefano
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ