Cinder

[synology] embed driver uses the insecure MD5 algorithm

Bug #1942301 reported by Kevin Li on 2021-09-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Low	Unassigned

Bug Description

Sysnology driver uses the insecure MD5 algorithm in derive key iv of AES and PKCS1v15 padding in RSA encryption. It should use more secure hash algorithm and OAEP padding in RSA encryption.
  Pre-conditions: NA
  Step-by-step reproduction steps: NA
  Expected output: NA
  Actual output: NA

Version: Train

Environment: NA

Perceived severity: NA

Tags (Affected component): NA
Attachments: Sysnology driver uses the insecure MD5 algorithm in derive key iv of AES and PKCS1v15 padding in RSA encryption.
cinder/volume/drivers/sinology/synology_common.py
AESCipher._derive_key_and_iv
    def _derive_key_and_iv(self, password, salt, key_length, iv_length):
        d = d_i = b''
        while len(d) < key_length + iv_length:
            md5_str = d_i + password + salt
            d_i = hashlib.md5(md5_str).digest()
            d += d_i
        return d[:key_length], d[key_length:key_length + iv_length]

Session._encrypt_RSA
    def _encrypt_RSA(self, modulus, passphrase, text):
        public_numbers = rsa.RSAPublicNumbers(passphrase, modulus)
        public_key = public_numbers.public_key(default_backend())

if isinstance(text, str):
text = text.encode('utf-8')

        ciphertext = public_key.encrypt(
            text,
            padding.PKCS1v15()
        )
        return ciphertext

Stx driver uses the insecure MD5 algorithm in login. It should use more secure hash algorithm, such as sha512.
  Pre-conditions: NA
  Step-by-step reproduction steps: NA
  Expected output: NA
  Actual output: NA

Version: Train

Environment: NA

Perceived severity: NA

Tags (Affected component): NA
Attachments: Stx driver uses the insecure MD5 algorithm in login.
cinder/volume/drivers/stx/client.py
STXClient._get_session_key
    @coordination.synchronized('{self._driver_name}-{self._array_name}')
    def _get_session_key(self):
        """Retrieve a session key from the array."""

        self._session_key = None
        hash_ = "%s_%s" % (self._login, self._password)
        if six.PY3:
            hash_ = hash_.encode('utf-8')
        hash_ = hashlib.md5(hash_) # nosec
        digest = hash_.hexdigest()

        url = self._base_url + "/login/" + digest
        try:
            xml = requests.get(url, verify=self.ssl_verify, timeout=30)
        except requests.exceptions.RequestException:
            msg = _("Failed to obtain MC session key")
            LOG.exception(msg)
            raise stx_exception.ConnectionError(message=msg)
       ... ...

Tags:

Revision history for this message

Sofia Enriquez (lsofia-enriquez) wrote on 2021-09-01:

I think the problem is on master as well: https://opendev.org/openstack/cinder/src/branch/master/cinder/volume/drivers/synology/synology_common.py#L117

Changed in cinder:
importance:	Undecided → Low
summary:	- embed driver uses the insecure MD5 algorithm + [synology] embed driver uses the insecure MD5 algorithm
tags:	added: md5 synology

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.