IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Authentication bypass vulnerability discovered in Bouncy Castle

Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class.

Password stars on a computer screen

Security researchers have found a flaw in a Java cryptography library that could enable hackers to brute force Bcrypt hashed passwords. Once exploited, a hacker could gain administrator-level access to a single sign-on (SSO) system

CVE-2020-28052 is an authentication bypass vulnerability in the OpenBSDBcrypt class of the popular Bouncy Castle library. Bcrypt hashing–based authentication is used for authentication checks, for example, in web applications and APIs. 

The exploit means an attacker could effectively bypass password checks in applications using the Bcrypt algorithm for password hashing. According to a Synopsys blog post, the vulnerability in the method OpenBSDBcrypt.doCheckPassword was introduced in a GitHub commit.

Researchers said the doCheckPassword method implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. 

“This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that doesn’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value,” researchers said.

In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.

Researchers said a hacker must brute-force password attempts until they trigger a bypass.

“Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input,” said researchers.

Researchers shared the bug with Bouncy Castle on October 20, who fixed it in early November and published an advisory on December 18. The disclosure led Synopsys to check its use of the Bouncy Castle software, but none of its software used the affected versions.

According to researchers, affected software included Bouncy Castle 1.65 (released March 31, 2020) and Bouncy Castle 1.66 (released July 4, 2020). This authentication bypass issue affects no other versions of the software. Synopsys strongly recommended that software vendors and Bouncy Castle library users upgrade to Bouncy Castle Java release 1.67 or later.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Google merges Chrome and Android password managers after community feedback
Security

Google merges Chrome and Android password managers after community feedback

1 Jul 2022
Best free malware removal tools 2022
Security

Best free malware removal tools 2022

22 Jun 2022
A guide to cyber security certification and training
Careers & training

A guide to cyber security certification and training

16 Jun 2022
What is shoulder surfing?
social engineering

What is shoulder surfing?

10 Jun 2022

Most Popular

Raspberry Pi launches next-gen Pico W microcontroller with networking support
Hardware

Raspberry Pi launches next-gen Pico W microcontroller with networking support

1 Jul 2022
Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022