The CollabNet Subversion Edge Management stores passwords as unsalted MD5 hashes. Unsalted MD5 hashes can easily be cracked by brute forcing the password. Fixed in version 5.0. Version 4.0.11 is affected.
8cc3148316f4aa4c7d8a4758a7e89063b6e5b83abbe5c26a33241c18c888460c
# Vuln Title: The CollabNet Subversion Edge stores passwords as unsalted MD5 hashes
# Date: 28.06.2015
# Author: otr
# Software Link: https://www.open.collab.net/downloads/svnedge
# Vendor: CollabNet
# Version: 4.0.11
# Tested on: Fedora Linux
# Type: Insecure password storage
# Risk: Medium
# Status: public/fixed
# Fixed version: 5.0
Timeline:
2014-10-09 Flaw Discovered
2014-10-20 Vendor contacted
2014-10-21 Vendor response
2014-12-08 Vendor fix proposal
2014-12-08 Extension of embargo to 19.4.2015
2015-05-04 Extension of embargo until release of version 5.0
2015-05-18 Release of version 5.0 and public disclosure
Summary:
The CollabNet Subversion Edge Management stores passwords as unsalted MD5
hashes. Unsalted MD5 hashes can easily be cracked by brute forcing the password.
Fix proposal:
Use a strong password storage algorithm like scrypt or PBKDF2.
Vendor fix:
We opted to go with bcrypt. It has more usage than scrypt and does not have any
known vulnerabilities; it is also more easily supported with the subversion
server, not just the Edge admin console. The strength factor is configurable.