'[oss-security] Re: [security] Re: [oss-security] Sonatype Nexus Repository Manager 2.x weak password'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: [security] Re: [oss-security] Sonatype Nexus Repository Manager 2.x weak password
From:       Brian Fox <brianf () sonatype ! com>
Date:       2017-12-17 21:12:55
Message-ID: CAOhT-pNuDgsC2a7V=MLSpe_2P46c0ZjM3aDYg7QvuzPFKE55yg () mail ! gmail ! com
[Download RAW message or body]


I don't think this is very kosher to go and file a public ticket before
even contacting us.

On Sun, Dec 17, 2017 at 3:03 PM, Raphael Geissert <atomo64@gmail.com> wrote:

> Hi,
>
> On Sunday, 17 December 2017 15:17:45 CET Stefano Brivio wrote:
> > On Sun, 17 Dec 2017 13:53:47 +0100
> >
> > Raphael Geissert <atomo64@gmail.com> wrote:
> > > Hi,
> > >
> > > The Nexus Repository Manager in at least version 2.14.5 [0] (latest of
> > > the 2.x series), stores the LDAP bind password in an on-disk file
> > > using PBE (bouncy castle's implementation of PBEWithSHAAnd128BitRC4).
> > >
> > > This is all great except for:
> > > - it using only 23 iterations[1]
> > > - it using a hard-coded and weak password[2]
> > >
> > > Therefore offering as much protection as a rot13 would.
> > >
> > > Given that the same PasswordHelper containing the weak password is
> > > present elsewhere in the code, it is very likely that this weak crypto
> > > issue affects other passwords stored by Nexus:
> > >
> > > -
> > > components/nexus-core/src/main/java/org/sonatype/nexus/
> configuration/Pass
> > > wordHelper.java[3] -
> > > components/nexus-security/src/main/java/org/sonatype/
> security/configurati
> > > on/source/PasswordHelper.java[4]
> > >
> > > It appears that this code is no longer used by the 3.x series.
> > >
> > > FWIW, the on-file password is:
> > >
> > > base64(SALT_SIZE || SALT || PBE_OUTPUT )
> > >
> > > SALT_SIZE always being 8 (hard-coded).
> > >
> > > N.b. I'll be filing a CVE request in a moment.
>
> This is now CVE-2017-17717.
>
> > > N.b. I have not contacted sonatype. I couldn't find an email address.
> >
> > The page at https://www.sonatype.com/contactus says:
> >
> > 1. Send urgent or sensitive reports to security@sonatype.com.
> > 2. Use our public key to keep your message safe.
> > 3. Provide us with a secure way to respond.
> > 4. We'll get back to you as soon as we can. Usually within 24 hours.
>
> Oh, I somehow missed it. Thanks for the pointer and for copying it to
> sonatype.
>
> Cheers,
> --
> Raphael Geissert
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic