alpine 3.9
crypto weakness #9
Weakness Breakdown
Definition:
This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.
Warning code(s):
The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.
File Name:
monit/src/monit-5.25.2/src/util.c
Context:
The highlighted line of code below is the trigger point of this particular Alpine 3.9 crypto weakness.
if (! (temp = strchr(id + 1, '$ '))) {
LogError("Password not in MD5 format.\n");
return false;
}
temp += 1;
*temp = '\0';
salt[sizeof(salt) - 1] = 0;
strncpy(salt, c->passwd + strlen(id), sizeof(salt) - 1);
if (! (temp = strchr(salt, '$ '))) {
LogError("Password not in MD5 format.\n");
return false;
}
*temp = '\0';
if (md5_crypt(outside, id, salt, outside_crypt, sizeof(outside_crypt)) == NULL) {
LogError("Cannot generate MD5 digest error.\n");
return false;
}
break;
}
case Digest_Crypt:
{
char salt[3];
char *temp;
snprintf(salt, 3, "%c%c", c->passwd[0], c->passwd[1]);
temp = crypt(outside, salt);
outside_crypt[sizeof(outside_crypt) - 1] = 0;
strncpy(outside_crypt, temp, sizeof(outside_crypt) - 1);
break;
}
#ifdef HAVE_LIBPAM
case Digest_Pam:
return PAMcheckPasswd(uname, outside);
break;
#endif
default:
LogError("Unknown password digestion method.\n");
return false;
}
if (Str_compareConstantTime(outside_crypt, c->passwd) == 0)
return true;
return false;
}
static void _resetIOStatistics(IOStatistics_T S) {
Statistics_reset(&(S->operations));
Statistics_reset(&(S->bytes));
}
Products
Resources
The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a worldwide basis.
© 2020 Polyverse