CVE-2024-24553: Bludit uses SHA1 as Password Hashing Algorithm
First published: Mon Jun 24 2024(Updated: )
Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure function.
Credit: vulnerability@ncsc.ch
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bludit |
Remedy
To address this vulnerability, it is imperative that the Bludit development team transitions to a more secure and intentionally slow hashing algorithm, such as bcrypt or Argon2, for password storage. These algorithms introduce the necessary computational overhead to resist brute-force attacks effectively. In addition, it is advised that appropriate cost factors are used. Furthermore, the generation of password salts should be revamped to employ a cryptographically secure method. The current approach, utilizing the `Text::randomText function`, should be replaced with a robust random number generator provided by the operating system or a dedicated cryptographic library. This change ensures the creation of unpredictable and secure salts, enhancing the overall resilience of the password storage mechanism.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-24553?
CVE-2024-24553 is considered a high-severity vulnerability due to the use of SHA-1 hashing for password protection.
How do I fix CVE-2024-24553?
To fix CVE-2024-24553, update Bludit to a version that uses a more secure hashing algorithm, such as bcrypt.
What impact does CVE-2024-24553 have on users?
CVE-2024-24553 allows attackers to potentially recover user passwords through brute-force attacks due to weaknesses in SHA-1 and the non-cryptographically secure salt.
Are older versions of Bludit affected by CVE-2024-24553?
Yes, older versions of Bludit that use the SHA-1 hashing algorithm for passwords are affected by CVE-2024-24553.
Is there a workaround for CVE-2024-24553?
A temporary workaround for CVE-2024-24553 is to implement additional rate limiting on login attempts while awaiting a patch.
- agent/remedy
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- collector/nvd-api
- source/NVD
- agent/severity
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/bludit
- canonical/bludit