![]() It can be used to verify the flaw is indeed present in Windows versions of Kaspersky Password Manager < 9.0.2 Patch F. That means every password generated by vulnerable versions of KPM can be bruteforced in minutes (or in a second if you know approximately the generation time).įinally, we provided a proof of concept that details the full generation method used by KPM. But the major flaw is that this PRNG was seeded with the current time, in seconds. Its internal structure, a Mersenne twister taken from the Boost library, is not suited to generate cryptographic material. We also studied the Kaspersky's PRNG, and showed it was very weak. We showed how to generate secure passwords taking KeePass as an example: simple methods like random draws are secure, as soon as you get rid of the "modulo bias" while peeking a letter from a given range of chars. However, such method lowers the strength of the generated passwords against dedicated tools. This method aimed to create passwords hard to break for standard password crackers. Kaspersky Password Manager used a complex method to generate its passwords. While the caveat that "an attacker would need to know some additional information (for example, time of password generation)" is valid, the fact remains that Kaspersky passwords were significantly less secure than people were led to believe. The issue was assigned CVE-2020-27020, where the old version of the password manager is described as being "not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases". This meant that "all the passwords it created could be bruteforced in seconds". Most significant is the fact that the PRNG used a single source of entropy - the current time. Millions of Dell devices at risk due to SupportAssist security vulnerabilitiesĭonjon researchers found that the password generator included in Kaspersky Password Manager had several problems. ![]() ![]() Microsoft urges PowerShell users to upgrade to protect against critical vulnerability.Microsoft issues emergency patches for critical PrintNightmare security flaw.
0 Comments
Leave a Reply. |