• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

Bouncy Castle Bug Puts Bcrypt Passwords at Risk

You are here: Home / General Cyber Security News / Bouncy Castle Bug Puts Bcrypt Passwords at Risk

A significant effects vulnerability has been identified in a well-liked Java cryptography library which could allow attackers to far more simply brute power Bcrypt hashed passwords.

CVE-2020-28052 is an authentication bypass bug in the OpenBSDBcrypt class of the extensively utilised Bouncy Castle library.

By exploiting it, attackers can effectively bypass password checks in purposes employing the Bcrypt algorithm for password hashing, spelled out Synopsys. Although attack complexity is rated large, so is the potential affect on confidentiality, integrity and availability, the seller claimed.

✔ Approved Seller by TheCyberSecurity.News From Our Partners
F Secure Safe 2021

Protect yourself against all threads using F-Seure. F-Seure is one of the first security companies which has never been backed up by any governments. It provides you with an award-winning security plus an optimum privacy.

Get F-Secure Safe with 65% discount from a bitdefender official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“An attacker need to brute pressure password makes an attempt until the bypass is induced. Our experiments clearly show that 20% of examined passwords ended up productively bypassed inside 1000 makes an attempt,” it defined.

“Some password hashes get extra tries, decided by how many bytes lie in between and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with sufficient tries. In scarce situations, some password hashes can be bypassed with any input.”

The flaw was disclosed to Bouncy Castle on October 20 and fixed in early November, with an advisory posted yesterday.

Even so, 91% of businesses employing the at-risk variation of Bouncy Castle hence far haven’t patched, according to Sonatype.

CTO Brian Fox claimed that the well-known cryptographic Java library is utilized by developers across 26,000 businesses to secure their purposes, and has been downloaded around 170 million times in the earlier 12 months by yourself.

This makes it a possibly major supply chain risk.

“Recent headlines about the huge SolarWinds attack highlighted the relevance of software package offer chain security and how uncomplicated it is for a solitary vulnerability to be dispersed across several organizations, from governing administration to security corporations,” Fox argued.

“Ensuring the software package you’re managing across a business is created on the most protected, current factors, demands maintaining a thoroughly clean software bill of components which mechanically monitors for updates or destructive offers.”


Some sections of this short article are sourced from:
www.infosecurity-magazine.com

Previous Post: «People's Energy Data Breach Affects All 270,000 Customers People’s Energy data breach affects all 270,000 customers
Next Post: Stolen card details now selling for 225% higher than in 2018 Stolen Card Details Now Selling For 225% Higher Than In»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Big Tech Bans Social Networking App
  • Lack of Funding Could Lead to “Lost Generation” of Cyber-Startups
  • Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor
  • ‘I’ll Teams you’: Employees assume security of links, file sharing via Microsoft comms platform
  • DarkSide decryptor unlocks systems without ransom payment – for now
  • Researchers see links between SolarWinds Sunburst malware and Russian Turla APT group
  • Millions of Social Profiles Leaked by Chinese Data-Scrapers
  • Feds will weigh whether cyber best practices were followed when assessing HIPAA fines
  • SolarWinds Hack Potentially Linked to Turla APT
  • 10 quick tips to identifying phishing emails

Copyright © TheCyberSecurity.News, All Rights Reserved.