Authentication bypass vulnerability discovered in Bouncy Castle

Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class.

Password stars on a computer screen

Security researchers have found a flaw in a Java cryptography library that could enable hackers to brute force Bcrypt hashed passwords. Once exploited, a hacker could gain administrator-level access to a single sign-on (SSO) system

CVE-2020-28052 is an authentication bypass vulnerability in the OpenBSDBcrypt class of the popular Bouncy Castle library. Bcrypt hashing–based authentication is used for authentication checks, for example, in web applications and APIs. 

The exploit means an attacker could effectively bypass password checks in applications using the Bcrypt algorithm for password hashing. According to a Synopsys blog post, the vulnerability in the method OpenBSDBcrypt.doCheckPassword was introduced in a GitHub commit.

Researchers said the doCheckPassword method implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. 

“This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that doesn’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value,” researchers said.

In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.

Researchers said a hacker must brute-force password attempts until they trigger a bypass.

“Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input,” said researchers.

Researchers shared the bug with Bouncy Castle on October 20, who fixed it in early November and published an advisory on December 18. The disclosure led Synopsys to check its use of the Bouncy Castle software, but none of its software used the affected versions.

According to researchers, affected software included Bouncy Castle 1.65 (released March 31, 2020) and Bouncy Castle 1.66 (released July 4, 2020). This authentication bypass issue affects no other versions of the software. Synopsys strongly recommended that software vendors and Bouncy Castle library users upgrade to Bouncy Castle Java release 1.67 or later.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021