[engineering.redhat.com #278019] Insufficient salting in the net-ldap Ruby gem

Red Hat Security Response Team secalert at redhat.com
Thu Feb 13 06:40:14 UTC 2014

On Wed Feb 12 15:03:04 2014, pierre.carrier at airbnb.com wrote:
> Hello,
> SSHA passwords generated by the net-ldap Ruby gem use a salt between
> "0" and "999", only providing 10 bits of entropy.
> This is an attack vector, making attacks based on rainbow tables
> significantly easier than with a strong salt.

Thanks for sending this. 

>From the CVE perspective this is a classic "intended security protection that fails to work as intended", the point of salting is to increase workload enough to make pre-computation and storage of the results difficult to impossible, a factor of 1000 is simply not enough in the modern word of GPU's and 4TB hd's and rainbow tables with chains. 

Please use CVE-2014-0083 for this issue. Also can an issue be opened upstream if it hasn't already been done? Thanks.

> https://github.com/ruby-ldap/ruby-net-
> ldap/blob/master/lib/net/ldap/password.rb#L29
> This E-mail is sent to the current upstream maintainer and all vendors
> that distribute a version of that gem.
> Your version might not be affected; if not, sorry for the noise.
> Best,

Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

More information about the freebsd-bugbusters mailing list