CyRC analysis: Authentication bypass vulnerability in Bouncy Castle

Overview

Synopsys CyRC researchers have discovered CVE-2020-28052, an authentication bypass vulnerability in the OpenBSDBcrypt class of the widely used Java cryptography library Bouncy Castle. This class implements the Bcrypt algorithm for password hashing. Attackers can bypass password checks in applications that use Bouncy Castle’s OpenBSDBcrypt class. 

The vulnerability in the method OpenBSDBcrypt.doCheckPassword was introduced in commit 00dfe74aeb4f6300dd56b34b5e6986ce6658617e. 

The doCheckPassword method implements a flawed verification routine. The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match. This means that passwords that result in hashes that, for instance, don’t contain bytes between 0x00 and 0x3B match every other password hash that don’t contain them. Passing this check means an attacker doesn’t need a byte-for-byte match with the stored hash value. 

boolean isEqual = sLength == newBcryptString.length();
for (int i = 0; i != sLength; i++)
{
    isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
}
return isEqual;

In most cases where Bcrypt.doCheckPassword() is used to check a password, successful exploitation will cause an authentication bypass.

Exploitation

An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input. 

Affected software

• Bouncy Castle 1.65 (released 3/31/2020) and Bouncy Castle 1.66 (released 7/4/2020) are affected by CVE-2020-28052.
• Bouncy Castle 1.67 (released 11/1/2020) fixes this vulnerability. Versions prior to 1.65 are not affected by CVE-2020-28052.

Note: As a result of this disclosure, Synopsys investigated its own products and found none used Bouncy Castle version 1.65 or 1.66 at the time this disclosure was published. 

Impact

Bcrypt hashing–based authentication may be used for authentication checks, for example, in web applications and APIs. 

CVSS 3.1 score

Bouncy Castle is a software library. The following worst-case implementation scenario was assumed in determining the CVSS score (following FIRST CVSS scoring guidelines for software libraries): 

Bcrypt hashing is used to check user-supplied passwords. Once the authentication bypass is triggered, attackers can perform the same operations as a legitimate user (gaining administrator-level access to a single-sign-on system, for example). 

Vector:  AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Score: 8.1 

Exploitability metrics: 
Attack Vector (AV): N = Network 
Attack Complexity (AC): H = High 
Privileges Required (PR): N = None 
User Interaction (UI): N = None 
Scope (S): C = Changed scope

Impact metrics 
Confidentiality Impact (C): H = High impact 
Integrity Impact (I): H = High impact 
Availability Impact (A): H = High impact

Remediation

Software vendors and users of the library are strongly encouraged to upgrade to Bouncy Castle Java release 1.67 or later.

Discovery credit

A team of researchers from Synopsys Cybersecurity Research Center (CyRC) in Oulu, Finland, discovered the issue:

• Matti Varanka
• Tero Rontti

Synopsys would like to thank the Bouncy Castle team for their responsiveness and for addressing this matter in a timely manner.