Skip to content

CVE 2020 28052

dghgit edited this page Dec 17, 2020 · 3 revisions

Issue affecting: BC 1.65 and BC 1.66.

Fixed versions: BC 1.67 or later

Issue: CWE-1025: Comparison Using Wrong Factors

A comparison error in OpenBSDBCrypt.checkPassword() can result in an incorrect password been accepted as a valid one. Do not use OpenBSDBCrypt.checkPassword() in either BC 1.65 or BC 1.66. The bug is quite insidious as it can create the impression the code is working. It is not and any usage of OpenBSDBCrypt.checkPassword() for BC 1.65 or BC 1.66 needs to be removed.

See commit https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219 for the changes.

Workaround Details

If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in:

https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java

It's a static method - the code can be copied into your own utility class without issue.