ID

VAR-201008-0272

CVE

CVE-2010-2967

TITLE

Wind River VxWorks loginDefaultEncrypt Algorithm encryption problem vulnerability

DESCRIPTION

The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. It is relatively easy to find a string that has the same hash value as a regular password.Authentication by attacker API (loginLib) May be used to access services using. The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. VxWorks is prone to a security vulnerability due to an insecure-hashing algorithm. The issue affects multiple products from multiple vendors that ship with the VxWorks operating system. NOTE: This document previously covered two vulnerabilities in VxWorks. The remote security-bypass issue has been moved to BID 42158 (VxWorks Debugging Service Security-Bypass Vulnerability) to allow for better documentation of both issues. This flaw occurs due to an insecure password hashing implementation in the authentication library (loginLib) of the VxWorks operating system. Regardless of what password is set for a particular account, there are a only small number (~210k) of possible hash outputs. Typical passwords consisting of alphanumeric characters and symbols fall within an even smaller range of hash outputs (~8k), making this trivial to brute force over the network. To excaberate matters, loginLib has no support for account lockouts and the FTP daemon does not disconnect clients that consistently fail to authenticate. This reduces the brute force time for the FTP service to approximately 30 minutes. To demonstrate the hash weakness, the password of "insecure" hashes to the value "Ry99dzRcy9". The password of "s{{{{{^O" also hashes to the same output. The hashing algorithm itself is based on an additive sum with a small XOR operation. The resulting sums are then transformed to a printable string, but the range of possible intermediate values is limited and mostly sequential. The entire collision table has been precomputed and will be released in early September as an input file for common brute force tools. More information about the hashing algorithm itself is available at the Metasploit blog post below: http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html There are three requirements for this vulnerability to be exploited: * The device must be running at least one service that uses loginLib for authentication. Telnet and FTP do so by default. * A valid username must be known to the attacker. This is usually easy to determine through product manuals or a cursory review of the firmware binaries. * The target service must be using with default loginLib library and must not have changed the authentication function to point to a custom backend. A typical VxWorks device will meet all three requirements by default, but customization by the device manufacturer may preclude this from being exploited. In general, if the device displays a VxWorks banner for Telnet or FTP, it is more than likely vulnerable. -- Vendor Response: Wind River Systems has notified their customers of the issue and suggested that each downstream vendor replace the existing hash implementation with SHA512 or SHA256. The exact extent of the vulnerability and the complete list of affected devices is not known at this time. Example code from Wind River Systems has been supplied to CERT and is included in the advisory below: http://www.kb.cert.org/vuls/id/840249 -- Disclosure Timeline: 2009-06-02 - Vulnerability reported to CERT for vendor notification 2009-08-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by HD Moore -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: http://www.rapid7.com/disclosure.jsp

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

encryption problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

HD Moore

SOURCES

LAST UPDATE DATE

2021-12-18T15:57:33.115000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE