-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate and change the use of MD2, MD4, MD5, or SHA1 hash functions in wodles #10116
Comments
Issue updateWe've undergone an investigation to determine if there are any security issues related to the use of the MD5 hashing algorithm in the Azure module. As a summary, we've concluded that there are no problems with our use of the algorithm, an extended investigation report is below. Hashing algorithms best practicesIt is known that MD5 is a hashing algorithm that's cryptographically broken since 2004, as stated in this article, and some of its weaknesses had been described in the late 90s. Despite that, it's a widely used algorithm for integrity checking when there's no third party that could tamper with the file, and any changes would be network-related. It's still in use because it's faster than SHA2 and SHA3 algorithms and it's vastly supported. Better hashing algorithm optionsAlthough there is no problem with the use of MD5 in some cases, we should stop using it in favor of hashing algorithms like BLAKE2, which is at least as fast, is cryptographically secure, and can have the same digest sizes -more info here-. It's available for use in the
Given this information, it would be pretty interesting to use BLAKE2 as an MD5 replacement in most cases, or at least in every new development that needs a fast hashing algorithm. Is that a vulnerability?In the Azure module, the MD5 algorithm is being used to hash the Log Analytics URL provided by the user, to then save that alongside the date of the last log fetched from Azure in a Since there is no risk in the use of the MD5 hashing algorithm, and changing the algorithm to another one would imply some migration efforts, we propose not to change it. In the future, it would be interesting to use a well-designed SQLite database to address this storing necessity in a more efficient and standardized way. |
Issue updateWe opened wazuh/wazuh-qa#2338 to mark the security flaw reported by this issue as a false positive. |
Description
With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.
In this issue we specify flaws regarding the use of insecure hash functions.
Investigate if it is possible to use SHA256 or a different secure cryptograpthic algorithm.
Algorithms which are not considered secure with alternatives: https://security.stackexchange.com/questions/78/what-cryptographic-algorithms-are-not-considered-secure
This is not a problem since the data handled are not critical and are only used internally by the wodle, so there is no decoding possibility. Despite this, we could investigate and use secure hash functions, similar to the same possible flaws found in framework.
Vulnerabilities found in:
wodles/azure/azure-logs.py line 246
wazuh/wodles/azure/azure-logs.py
Line 248 in 7d423ab
wodles/azure/azure-logs.py line 384
wazuh/wodles/azure/azure-logs.py
Line 386 in 7d423ab
wodles/azure/azure-logs.py line 530
wazuh/wodles/azure/azure-logs.py
Line 532 in 7d423ab
More info.: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5
Once changes are done, pass the test to check that these flaws were deleted from the known flaws JSON file of framework.
The text was updated successfully, but these errors were encountered: