Hashed passwords stored as MD5 hashes in /etc/shadow

Bug #1807479 reported by Earl Ruby on 2018-12-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
system-config-kickstart (Ubuntu)
Medium
Unassigned

Bug Description

The root password (if specified) and initial user account password (required) are encrypted using an (insecure) MD5 hash. The resulting kickstart file will build virtual machines that store the MD5 hashed password in /etc/shadow for the root and/or initial user.

Currently Ubuntu uses SHA512 for storing hashed passwords in /etc/shadow, but MD5 still works for the sake of backwards compatibility. Using MD5 hashes for any passwords is highly insecure and should be avoided.

1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu

$ lsb_release -rd
Description: Ubuntu 18.10
Release: 18.10

2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center

$ apt-cache policy system-config-kickstart
system-config-kickstart:
  Installed: 2.5.20-0ubuntu25
  Candidate: 2.5.20-0ubuntu25
  Version table:
 *** 2.5.20-0ubuntu25 500
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
        100 /var/lib/dpkg/status

3) What you expected to happen

I expected system-config-kickstart to use SHA512 for storing hashed passwords. (Hash starts with "$6$".)

4) What happened instead

system-config-kickstart used MD5 for storing hashed passwords. (Hash starts with "$1$".)

Earl Ruby (earlruby.org) wrote :

I can fix this bug if someone can point me to the source repo. I found https://github.com/rhinstaller/system-config-kickstart on-line, but I'm not sure if Ubuntu pulls from the RHEL source repo so I don't know if fixing it there will help or not.

Earl Ruby (earlruby.org) wrote :
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

I don’t see why not. I fixed it and submitted a PR but can’t get anyone to look at the PR.

> On Jan 18, 2019, at 11:13 AM, Marc Deslauriers <email address hidden> wrote:
>
> Can I make this bug public?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1807479
>
> Title:
> Hashed passwords stored as MD5 hashes in /etc/shadow
>
> Status in system-config-kickstart package in Ubuntu:
> New
>
> Bug description:
> The root password (if specified) and initial user account password
> (required) are encrypted using an (insecure) MD5 hash. The resulting
> kickstart file will build virtual machines that store the MD5 hashed
> password in /etc/shadow for the root and/or initial user.
>
> Currently Ubuntu uses SHA512 for storing hashed passwords in
> /etc/shadow, but MD5 still works for the sake of backwards
> compatibility. Using MD5 hashes for any passwords is highly insecure
> and should be avoided.
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or
> System -> About Ubuntu
>
> $ lsb_release -rd
> Description: Ubuntu 18.10
> Release: 18.10
>
> 2) The version of the package you are using, via 'apt-cache policy
> pkgname' or by checking in Software Center
>
> $ apt-cache policy system-config-kickstart
> system-config-kickstart:
> Installed: 2.5.20-0ubuntu25
> Candidate: 2.5.20-0ubuntu25
> Version table:
> *** 2.5.20-0ubuntu25 500
> 500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
> 500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386 Packages
> 100 /var/lib/dpkg/status
>
>
> 3) What you expected to happen
>
> I expected system-config-kickstart to use SHA512 for storing hashed
> passwords. (Hash starts with "$6$".)
>
> 4) What happened instead
>
> system-config-kickstart used MD5 for storing hashed passwords. (Hash
> starts with "$1$".)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1807479/+subscriptions

information type: Private Security → Public Security
tags: added: rls-dd-incoming
Changed in system-config-kickstart (Ubuntu):
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Earl Ruby (earlruby.org) wrote :

Is there a different repository where I should submit this PR?

On Thu, Mar 7, 2019 at 2:30 PM Dimitri John Ledkov <email address hidden>
wrote:

> ** Tags added: rls-dd-incoming
>
> ** Changed in: system-config-kickstart (Ubuntu)
> Assignee: (unassigned) => Canonical Foundations Team
> (canonical-foundations)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1807479
>
> Title:
> Hashed passwords stored as MD5 hashes in /etc/shadow
>
> Status in system-config-kickstart package in Ubuntu:
> New
>
> Bug description:
> The root password (if specified) and initial user account password
> (required) are encrypted using an (insecure) MD5 hash. The resulting
> kickstart file will build virtual machines that store the MD5 hashed
> password in /etc/shadow for the root and/or initial user.
>
> Currently Ubuntu uses SHA512 for storing hashed passwords in
> /etc/shadow, but MD5 still works for the sake of backwards
> compatibility. Using MD5 hashes for any passwords is highly insecure
> and should be avoided.
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or
> System -> About Ubuntu
>
> $ lsb_release -rd
> Description: Ubuntu 18.10
> Release: 18.10
>
> 2) The version of the package you are using, via 'apt-cache policy
> pkgname' or by checking in Software Center
>
> $ apt-cache policy system-config-kickstart
> system-config-kickstart:
> Installed: 2.5.20-0ubuntu25
> Candidate: 2.5.20-0ubuntu25
> Version table:
> *** 2.5.20-0ubuntu25 500
> 500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64
> Packages
> 500 http://us.archive.ubuntu.com/ubuntu bionic/universe i386
> Packages
> 100 /var/lib/dpkg/status
>
>
> 3) What you expected to happen
>
> I expected system-config-kickstart to use SHA512 for storing hashed
> passwords. (Hash starts with "$6$".)
>
> 4) What happened instead
>
> system-config-kickstart used MD5 for storing hashed passwords. (Hash
> starts with "$1$".)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/system-config-kickstart/+bug/1807479/+subscriptions
>

--
Earl Ruby
http://earlruby.org/

Changed in system-config-kickstart (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in system-config-kickstart (Ubuntu):
assignee: Canonical Foundations Team (canonical-foundations) → nobody
tags: added: id-5c93b5ed0e88b83056419916
tags: removed: rls-dd-incoming
Balint Reczey (rbalint) wrote :

@earlruby.org I think you already filed the PR at the best place, i.e. at upstream. Ubuntu (and other distributions as well AFAIK) preferes carrying patches only when it is critical to the distribution and preferably only for a shorted period until it becomes available in a new upstream release.
This patch don't seem to fit either category unless upstream accepts the patch.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers