OpenBSD svnd offline dictionary attack

2005-12-25T00:00:00
ID OSVDB:25662
Type osvdb
Reporter OSVDB
Modified 2005-12-25T00:00:00

Description

Vulnerability Description

OpenBSD svnd contains a flaw that may allow a malicious user to issue offline dictionary attack against svnd cryptographic disk. The issue is triggered because salting isn't used in conjuction with the pass phrase. It is possible that the flaw may allow crack svnd using rainbow tables resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Ted Unangst has released a patch to address this vulnerability.

Short Description

OpenBSD svnd contains a flaw that may allow a malicious user to issue offline dictionary attack against svnd cryptographic disk. The issue is triggered because salting isn't used in conjuction with the pass phrase. It is possible that the flaw may allow crack svnd using rainbow tables resulting in a loss of confidentiality.

References:

Vendor Specific Solution URL: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/vnconfig/vnconfig.c?rev=1.17&content-type=text/x-cvsweb-markup Other Solution URL: http://marc.theaimsgroup.com/?l=openbsd-misc&m=110474799109884&w=2 Other Solution URL: http://marc.theaimsgroup.com/?l=openbsd-tech&m=114724124517928&w=2 Other Advisory URL: http://www.onlamp.com/pub/a/bsd/2005/12/21/netbsd_cgd.html