Manjaro Installers - Password Weakness

Hi community,

Systems installed by Thus (before v0.9.5.2) and Calamares (before v3.1.0.2) have a weaker password hash, than they should. This weakness is only important, if an attacker has a way of obtaining the password hash. The Manjaro and Calamares teams believe, that installed systems should be as secure as possible and therefore consider this weakness important.

Users are advised, to reset their password on installed systems by using the password utility, which will provide a stronger password hash. This applies to all user accounts created during the installation of the system, by either of those installers: the user's own account and to the root account, if the root account has a password.

Weakness

During system installation, Thus or Calamares creates a regular user -- for example, "bob" -- and sets the password for that user. Often, Thus or Calamares also sets a password for the root user.

When setting the password, Thus or Calamares uses a predictable "salt". This means, that an attacker knows the salt for user "bob", and also for user "root". If the attacker can obtain the password hash -- usually stored in /etc/shadow -- then the knowledge of the salt can help the attacker prepare for a password cracking attempt.

Impact

This weakness does not weaken the password security for logins on a single system. It does weaken the password if an attacker can obtain the password hash through some other means.

The predictable salt also means that passwords on different machines may be hashed with the same salt. This means that all root accounts installed by Thus (before v0.9.5.2) and Calamares (before v3.1.0.2) share the same salt and that an attacker who can obtain /etc/shadow from many installed machines can use the predictable salt to build a rainbow table for root in advance.

Users added to the system after installation do not have this password weakness.
Users whose password has been changed with passwd do not have this password weakness.

Mitigation

Users are advised to reset their password on installed systems by using passwd:

user@system$ passwd
Changing password for user.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 

When changing the password, the installed Linux system generates a new, random, salt for the password hash and the password is no longer affected by this weakness. Users may also want to reset the root password on the system if it is vulnerable, with sudo passwd.

Fixes

Existing DVDs, USB sticks, etc. with Thus (before v0.9.5.2) and Calamares (before v3.1.0.2) as system installer will continue to be vulnerable to this password weakness. Since Thus or Calamares are system installers, they are usually not available on the installed system, and therefore it is not necessary to update Thus or Calamares on any installed system.

Beginning with Manjaro v17.0.2-rc3 we are using Calamares v3.1.0.2 or higher, which no longer creates user password hashes with a predictable salt.

Credits

Thanks to Bart Haan for finding the original password weakness and Philip Müller for extensive testing in Manjaro.

Additional Information

It is general good to read our Security Mailing List on regular basis. In this case, please read our MSAs this particular topic: [MSA-201706-01], [MSA-201706-02]

Now that's some useful info!

What hash algo does Manjaro/Arch use by default? Is it SHA512?

I guess the risk is rather small for single-user desktop systems which don't run any servers open to the internet?

Very insightful post.
Thanks Phil!

Done and done on all four systems, bare metal and virtual.

Useful info. Manjaro-architect calls passwd to create passwords, so it should not be affected by this issue?

Yes, Manjaro-Architect is not affected. However, it is always good to double check your systems:

• check your /etc/shadow for your user name. In this example bob
• you may find some like this: bob:$6$bob$<HASH>:<NUMBER>:<NUMBER>:<NUMBER>:<NUMBER>:::
• when you see <USERNAME>:$6$<USERNAME>$ you have a problem and should use passwd
• when fixed, you should see something like this: bob:$6$Xc7F0tzed.#f5P3r$<HASH>:<NUMBER>:<NUMBER>:<NUMBER>:<NUMBER>:::
• also check for user root!

Helpful info. Thanks for securing us

why do I have 'etc/shadow-' file with "-" at the end?
(in addition to normal 'shadow')

... is the backup file ...

I checked that out on work machine and I see <USERNAME>:$6$<USERNAME>$ for the root accoun but not for my user account. Regardless I am going to change both passwords

...done & done, and it works.
Thank you.

I'm impressed with people's reaction here! That's how you encourage developers not to fear to tackle serurity issues.

And a another applause for transparency

Thanks all for recognizing a problem, making it known, and fixing it.

On a very seperate note than my previous post..

Besides this forum post, is there any other way manjaro users can become informed of this ?

It was mentioned in the latest Stable Update Announcement https://manjaro.org/news/
which has a link to this topic here.

I had to look more than once...
Really didnt notice the first time. I guess I was looking for more than the embedded link in the single sentence of an otherwise unhighlighted 'regular update announcement.' But yes, its there.
I read the forums, and dont even usually look at the blog page. So it doesnt matter to me.
It could be missed though.

Wouldn't it be sudo passwd root to change the root password?

That would work but when you use sudo like that you are already running passwd as root so you don't need to give the passwd command an explicit user.

You can also use su && passwd. Simply check if the salt had changed.

In a later step we may also inform on our blog about it. I still wait till Calamares announces first. Also Antergos prepared for the same issue ...