Systems installed by Cnchi prior to v0.14.287 have weaker password hashes than they should. This is only significant if an attacker has a way of obtaining the password hashes. Nevertheless, the security of users' systems is a serious matter and we feel it's important that we give our users the information they need to decide what (if any) mitigation actions to take.
Prior to version 0.14.287, the Cnchi Installer used a predictable salt to generate password hashes when creating system user accounts. This means, that an attacker would know the salt for user "bob", and also for user "root". If the attacker can obtain the password hash, then the knowledge of the salt can help the attacker prepare for a password cracking attempt.
By default, password hashes are stored in the root-only-readable
/etc/shadow file. Thus, the only way an attacker could obtain a system's password hashes is if they have already gained root access on the system (which, of course, would make obtaining the hashes pretty pointless).
This weakness does not weaken the password security for user accounts on a single system unless the attacker obtains the password hash through some other means.
The predictable salt also means that passwords on different machines may be hashed with the same salt. For instance, all root accounts installed by Cnchi (before v0.14.287) share the same salt. If an attacker could obtain password hashes from many installed systems, they could use the predictable salt to build a rainbow table in advance.
User accounts added to the system after installation as well as accounts whose password has been changed with the password command utility are not impacted by this password weakness.
For multi-user systems and systems that have ports exposed directly to the internet, users are advised to reset their passwords using the password command utility, which will provide a stronger password hash. This applies to all user accounts created by Cnchi during the installation of the system: the user's own account as well as to the root account.
[email protected]$ passwd Changing password for user. (current) UNIX password: Enter new UNIX password: Retype new UNIX password:
When changing the password, a new, random, salt is generated for the password hash which makes the password no longer affected by this weakness.
The issue has been fixed in Cnchi 0.14.287. Existing DVDs, USB sticks, etc. with Cnchi (before v0.14.287) will not continue to be vulnerable to this password weakness as Cnchi will update itself automatically upon starting up.
Thanks to Bart Haan for finding the original password weakness and Philip Müller from Manjaro for notifying us.