CVE-2019-18906: 
Linux openSUSE vulnerability analysis and mitigation

A critical Improper Authentication vulnerability (CVE-2019-18906) was discovered in the cryptctl component of SUSE Linux Enterprise Server for SAP 12-SP5 and SUSE Manager Server 4.0. The vulnerability affects cryptctl versions prior to 2.4 and was disclosed in May 2021. The issue allows attackers with access to the hashed password to use it directly without needing to crack it (NIST NVD).

The vulnerability stems from an implementation flaw where cryptctl performs password hashing on the client side using keyserv.HashPassword function. While the system implements password hashing and salting, the client-side implementation means that if a hash is leaked, it can be used directly for authentication without requiring the attacker to crack the password. The vulnerability received a CVSS v3.1 base score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (SUSE Bug).

The vulnerability effectively makes the password hashing mechanism equivalent to storing passwords in clear text. If an attacker obtains the hashed password, they can use it directly for authentication, bypassing the intended security benefit of password hashing. This compromises the authentication system's security by allowing unauthorized access with stolen password hashes (SUSE Bug).

The vulnerability was patched in cryptctl version 2.4. The fix involves modifying the authentication process to use plain text password authentication over an encrypted transport, with server-side hashing. For compatibility during updates, a sysconfig variable ALLOW_HASH_AUTH was introduced to temporarily allow authentication with hashed passwords. The recommended update process is: 1) Update the server, 2) Set ALLOW_HASH_AUTH to yes, 3) Update the clients, 4) Set ALLOW_HASH_AUTH to no (SUSE Bug).