Security Bulletin: ADXCRYPT
A vulnerability in the 4690 OS ADXCRYPT basic password hash algorithm has been reported to the CERT ® Coordination Center. It is reported that the 4690 OS basic password hash can be compromised by an attacker who conducts cryptanalysis on the ADXCSOUF.DAT password file to recover encrypted passwords which can then be used to access the system.
A vulnerability in the 4690 OS ADXCRYPT basic password hash algorithm has been reported by Brian Kamusinga and David Odell to the CERT ® Coordination Center. They report that the 4690 OS basic password hash can be compromised by an attacker who conducts cryptanalysis on the ADXCSOUF.DAT password file to recover encrypted passwords which can then be used to access the system.
The CERT Coordination Center is a major center for addressing internet security problems and is part of the CERT Division of the Software Engineering Institute and is funded by the United States government.
Affected Products and Versions
All 4690 OS supported versions
Workarounds and Mitigations
Toshiba Global Commerce Solutions is committed to providing 4690 OS customers with robust security features.
The ADXCRYPT hashing algorithm referenced is a basic password hash. Beginning with V5R1 released in January 2007, 4690 OS includes an improved "Enhanced Security" password management function. In all currently supported versions of 4690 OS, Enhanced Security is the recommended method within 4690 OS for accessing a 4690 OS store controllers to help customers adhere to PCI DSS (Payment Card Industry Data Security Standards) requirements. The Enhanced Security function must be enabled by the customer.
The Enhanced Security function is described in 4690 OS manuals available online at www.toshibacommerce.com. Briefly, the function adds normal password rules such as minimum length, must contain at least one letter and one number, user ID must not appear, and so forth. Additionally, password expiration control is available. Enhanced Security uses the SHA1 algorithm for password hashing. Enhanced Security does not use the ADXCSOUF.DAT file. Instructions for enabling 4690 OS Enhanced Security can be found in the V6R4 4690 OS Planning, Installation, and Configuration Guide beginning on page 140. Additional information can be found in Chapter 23 of the V6R4 4690 OS Programming Guide.
Beginning in January 2012 with V6R3, 4690 OS includes the additional option of using an LDAP server for user authentication. If enabled by the customer, this function moves the ID and password authentication from the 4690 OS to an LDAP server. In that case the LDAP server controls the password hashing, using encryption and other features available to the LDAP server. Instructions for enabling LDAP, or Directory Services, can be found in the V6R4 4690 OS Planning, Installation, and Configuration Guide beginning on page 23. Details on 4690 Directory Services, or LDAP, can be found in Chapter 14 of the V6R4 4690 OS User Guide.
Get Notified about Future Security Bulletins
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.