Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 10 subscribers
  • Views 19326 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 Password Storage

Alk Sadkla

Hi there,

 

while using the API, I figured out that passwords for internal users are stored as md4-hashes.

According to Wikipedia: "As of 2007, an attack can generate collisions in less than 2 MD4 hash operations" [1]. That was 10 years ago...

 

Is there any possibility to change the hash algorithm to something useful / secure?

I know that I can use alternative authentication backends, but that's explicitly not what I want.

 

Thanks in advance.

Best,

Alk

 

[1] en.wikipedia.org/.../MD4



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Alk, and welcome to the UTM Community!

    My company has been installing this software since 2003.  As you can tell, I've been an active participant here for over 10 years.  During that time, I've probably read every post related to the UTM.  No such situation has occurred that was reported here.

    Up until Sophos bought Astaro, this venue rarely saw Astaro employees and there was no attempt by Astaro to remove such reports.  I'm not saying that Sophos does, just that we would have known sometime before 2013.

    That said, there are several things an experienced installer does to minimize the attack surface.  First, limit access to WebAdmin to a few IPs.  You also can use two-factor auth.  I like to add a remote access account and then include "MyUserName (User Network)" as a different kind of two-factor auth.  I also recommend only allowing one person to know the admin credentials, and it's not me!  The admin user should always be the backup for getting in when the primary admin's account doesn't authenticate.  Similarly, I always configure root access by RSA key, and the "(User Network)" trick also works there for two-factor auth.

    I could go on, but suffice to say that the exposure should be virtually non-existent for a site configured correctly.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BUMP...

    Is UTM9 still using MD4?

Reply Children
  • +1 in reply to BarryG

    Hey Barry - glad to see you back!

    Indeed:

    secure:/home # cc get_object REF_AaaUseMyUser|grep hash
                          'md4hash' => 'xxxxxxxxxxxxxxxXXXXXXXXXXXXXXXXX',

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Guys, 

    with the latest XG vulnerability we can see a zero-day can indeed be used/vuln can occur making it possible to extract/steal these hashes. It is only luck this has not yet happened with an UTM, this can happen to ANY system. So IMHO this should be changed ASAP. MD4 should be considered as absolutely out of the question. 

    Thanks,

    Joerg

  • 0 in reply to BAlfson

    Hey Bob,

    are passwords from the backends are also cached this way or only local accounts?

    Two years ago I found the issue with the unencrypted backend passwords in the logfiles when being in debug mode (see older posts in this thread). This has been fixed. Ist this another way for administrators to decrypt passwords of remote users?

    Best regards,
    Bernd

Unfiltered HTML