I reviewed libntlm 1.6-4 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
- CVE History:
- CVE-2019-17455
- "It was discovered that Libntlm incorrectly handled specially crafted NTML requests. An attacker could possibly use this issue to cause a denial of service or another unspecified impact."
- https://ubuntu.com/security/notices/USN-5108-1
- Open Bugs?
- "Problem with cross domain authentication"
- https://gitlab.com/gsasl/libntlm/-/issues/1
- Build-Depends?
- gnulib built into package for DES
- linux-vdso.so.1
- libc.so.6
- ld-linux-x86-64.so.2
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- none
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- yes
- cron jobs?
- none
- Build logs:
- handful of "warning: inlining failed in call to 'getUnicodeString.constprop'" on build
- Processes spawned?
- not checked
- Memory management?
- four memcpy calls in smbutil.c
- first use is very obtuse
- no size checking--might be fine
- File IO?
- no, only test code
- Logging?
- no, only example code
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- NTLMv1 is deprecated and highly unsafe (!)
- implementation looks good
- Use of temp files?
- none
- Use of networking?
- no, only example code
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- smbutil.c:317 assigns a pointer to Null
- AddString appears to be purposely built this way
- Any significant Coverity results?
- gnulib overwrites part of a buffer being copied in md4_process_bytes function
- perhaps intentional if buffer is under 16? should use memmove otherwise
- Libntlm calls md4_buffer which calls md4_process_bytes
- ./gl/md4.c:269
- test code reports ignored
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
From Libntlm's README:
"""
I don't consider NTLM a secure authentication protocol -- it uses MD4
and single-DES. MD4 has been broken, and single-DES have a too small
key size to be considered secure against brute-force attacks. You
should only use libntlm for interoperability purposes, not to achieve
any kind of security.
"""
I reviewed libntlm 1.6-4 as checked into kinetic. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
- CVE History: /ubuntu. com/security/ notices/ USN-5108- 1 /gitlab. com/gsasl/ libntlm/ -/issues/ 1 x86-64. so.2 ng.constprop' " on build
- CVE-2019-17455
- "It was discovered that Libntlm incorrectly handled specially crafted NTML requests. An attacker could possibly use this issue to cause a denial of service or another unspecified impact."
- https:/
- Open Bugs?
- "Problem with cross domain authentication"
- https:/
- Build-Depends?
- gnulib built into package for DES
- linux-vdso.so.1
- libc.so.6
- ld-linux-
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- none
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- yes
- cron jobs?
- none
- Build logs:
- handful of "warning: inlining failed in call to 'getUnicodeStri
- Processes spawned?
- not checked
- Memory management?
- four memcpy calls in smbutil.c
- first use is very obtuse
- no size checking--might be fine
- File IO?
- no, only test code
- Logging?
- no, only example code
- Environment variable usage?
- none
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- NTLMv1 is deprecated and highly unsafe (!)
- implementation looks good
- Use of temp files?
- none
- Use of networking?
- no, only example code
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- smbutil.c:317 assigns a pointer to Null
- AddString appears to be purposely built this way
- Any significant Coverity results?
- gnulib overwrites part of a buffer being copied in md4_process_bytes function
- perhaps intentional if buffer is under 16? should use memmove otherwise
- Libntlm calls md4_buffer which calls md4_process_bytes
- ./gl/md4.c:269
- test code reports ignored
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
This package encourages the use of NTLMv1. It implies that a NTLM server should use deprecated authentication. In many scenarios this means enabling SMBv1 as well! This is only acceptable in completely controlled environments. /support. microsoft. com/en- us/topic/ security- guidance- for-ntlmv1- and-lm- network- authentication- da2168b6- 4a31-0088- fb03-f081acde6e 73
- https:/
From Libntlm's README:
"""
I don't consider NTLM a secure authentication protocol -- it uses MD4
and single-DES. MD4 has been broken, and single-DES have a too small
key size to be considered secure against brute-force attacks. You
should only use libntlm for interoperability purposes, not to achieve
any kind of security.
"""
Security team ACK for promoting libntlm to main.