Bug 51195 - [UCS 4.4] UCS still uses md5 to hash initial password for root
[UCS 4.4] UCS still uses md5 to hash initial password for root
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: System setup
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Felix Botner
Erik Damrose
:
: 51194 (view as bug list)
Depends on: 51194
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-30 13:50 CEST by Ingo Steuwer
Modified: 2020-06-10 14:43 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2020-04-30 13:50:02 CEST
clone to fix in next UCS 4.4 installation DVD

+++ This bug was initially created as a clone of Bug #51194 +++

# grep -n md5 /usr/lib/univention-system-setup/scripts/10_basis/18root_password
65:usermod -p "$(mkpasswd -H md5 "$root_password")" root

# grep root /etc/shadow
root:$1$UA2XFeyu$1KmEIwd9u0BOFR/A8AvcY.:18018:0:99999:7:::
      ^ ^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^
      | \_salt_/ \_____encrypted______/
      +- 1=MD5
         2a=Blowfish
         5=SHA-256
         6=SHA-512
from <man:crypt(3)>

# ls -l /etc/shadow
-rw-r----- 1 root shadow 1328 Nov 19 16:28 /etc/shadow

IFF I can get read access to that file I can get the md5 hash, crack it and would try it for uid=Administrator, which gives me full access to LDAP (and all other hosts of the domain).

NIST banned SHA-1 in 2015 and MD5 is even older.
Comment 1 Felix Botner univentionstaff 2020-06-02 11:16:29 CEST
0274712f662e1fe4687d451a0b9980aa68a2b06d - yaml


c569e7a974eda6ba2fa3e2e9dad6a8f80c23187a - univention-system-setup
6e76f5e86da57ebe84cc27a64ac366918a450f24
Comment 2 Felix Botner univentionstaff 2020-06-02 11:18:02 CEST
*** Bug 51194 has been marked as a duplicate of this bug. ***
Comment 3 Erik Damrose univentionstaff 2020-06-03 16:02:18 CEST
OK: univention-system-setup 12.0.2-24A~4.4.0.202005281715
OK: password hashed with SHA-512 after system setup
OK: Test DVD + Appliance
OK: yaml
Verified
Comment 4 Erik Damrose univentionstaff 2020-06-10 14:43:01 CEST
<http://errata.software-univention.de/ucs/4.4/622.html>