Synopsys CyRC researchers have discovered CVE-2020-28052, an authentication bypass vulnerability in the OpenBSDBcrypt class of the widely used Java cryptography library Bouncy Castle. This class implements the Bcrypt algorithm for password hashing. Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class.
The vulnerability in the method OpenBSDBcrypt.doCheckPassword was introduced in commit 00dfe74aeb4f6300dd56b34b5e6986ce6658617e.
The doCheckPassword method implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that don’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value.
boolean isEqual = sLength == newBcryptString.length();
for (int i = 0; i != sLength; i++)
isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.