Skip to content
This repository has been archived by the owner on Jan 30, 2024. It is now read-only.

Use of MD5, use of HTTP, and empty passwords #7768

Closed
akondasif opened this issue Jul 14, 2018 · 3 comments
Closed

Use of MD5, use of HTTP, and empty passwords #7768

akondasif opened this issue Jul 14, 2018 · 3 comments

Comments

@akondasif
Copy link

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of MD5 uses in one of the Puppet scripts. MD5 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as MD5. Reff: https://cwe.mitre.org/data/definitions/327.html.

I suggest the use of SHA512 , which is more secure. Any feedback is appreciated.

Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/govuk/manifests/node/s_transition_postgresql_standby.pp
@akondasif akondasif changed the title MD5 is vulnerable to security attacks and should be avoided Two bad practices: use of MD5 and empty passwords Jul 15, 2018
@akondasif
Copy link
Author

Along with use of MD5, I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).

I suggest that to follow the strong password guidelines, and manage passwords with hiera.

Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/govuk_crawler/manifests/init.pp

@akondasif akondasif changed the title Two bad practices: use of MD5 and empty passwords Use of MD5, use of HTTP, and empty passwords Jul 15, 2018
@akondasif
Copy link
Author

I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/nodejs/manifests/repo.pp

@deanwilson
Copy link
Contributor

Thank you for raising these and apologies for the lack of activity on the issue.

We have a separate, private, system that replaces the empty passwords with securely generated values that are loaded via Hiera. Due to the nature of the public/private split it can appear we have empty passwords in places where we actually don't. In regards to the postgres issue we've moved to RDS now and changed the way this authentication works.

Thank you again for flagging these

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@deanwilson @akondasif