[
https://issues.apache.org/jira/browse/DIRSERVER-2338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270802#comment-17270802
]
Ya Xiao commented on DIRSERVER-2338:
------------------------------------
Thank you so much for replying. We are a security research team at Virginia
Tech. We are doing an empirical study about the usefulness of the existing
security vulnerability detection tools. The reported one is what we got from
certain tools.
We'll so appreciate it if you can give us some information about the following
questions. Your feedback is important for us to help improve the
state-of-the-art.
# What kind of supports or features do you expect from a useful bug detector?
E.g. Demonstration of exploits or some customized fixing suggestions?
# Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
# What kind of challenges do you think the developers are facing when fixing
the detected vulnerabilities? And what kind of tool supports do you think would
help to improve the practices?
# What kind of bug checker/vulnerability detection tools you are using? Do you
think they are helpful?
> Using a static IV in symmetric encryption with CBC mode
> -------------------------------------------------------
>
> Key: DIRSERVER-2338
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2338
> Project: Directory ApacheDS
> Issue Type: Improvement
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> *Vulnerability Description*
> In file
> [directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|[https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java],]
> a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165,
> Line 169).
> *Security Impact:*
> The IV of CBC mode is expected to be random. The static IV makes the
> resulting ciphertext much more predictable and susceptible to a dictionary
> attack.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html|https://cwe.mitre.org/data/definitions/329.html]
> *Solution we suggest*
> Generate the IV bytes through SecureRandom.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
