alpine 3.8
crypto weakness #5

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

open-vm-tools/src/open-vm-tools-stable-10.1.15/open-vm-tools/vgauth/lib/authPosix.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

    if (!pwd) {
      // No such user
      return VGAUTH_E_AUTHENTICATION_DENIED;
   }

   if (*pwd->pw_passwd != '\0') {
      const char *passwd = pwd->pw_passwd;
      const char *crypt_pw;

      // looks like a shadow password, so use it instead
      if (strcmp(passwd, "x") == 0) {
         struct spwd *sp = getspnam(userName);
         if (sp) {
            passwd = sp->sp_pwdp;
         }
      }

      crypt_pw = crypt(password, passwd);
      if (!crypt_pw || (strcmp(crypt_pw, passwd) != 0)) {
         // Incorrect password
         return VGAUTH_E_AUTHENTICATION_DENIED;
      }

      // Clear out crypt()'s internal state, too.
      crypt("glurp", passwd);
   }
#endif /* !USE_PAM */

   return VGAuth_CreateHandleForUsername(ctx, userName,
                                         VGAUTH_AUTH_TYPE_NAMEPASSWORD,
                                         NULL, handle);
}


/*
 ******************************************************************************
 * VGAuthInitAuthenticationPlatform --                                   */ /**
 *
 * Initializes any POSIX-specific authentication resources.
 *
 * @param[in]  ctx        The VGAuthContext to initialize.
 *
 * @return VGAUTH_E_OK on success, VGAuthError on failure
 *
 ******************************************************************************
 */

VGAuthError
VGAuthInitAuthenticationPlatform(VGAuthContext *ctx)
{ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.