Actualizer OpenSSL Password Hashing Vulnerability

A vulnerability exists in Actualizer, a tool for creating Debian operating systems, prior to version 1.2.0. The issue arises because the application relies on OpenSSL's '-passwd' function, which uses SHA512 for password hashing. This is inappropriate, as a slower, more secure algorithm like Yescript or Argon2i should be used. All users of Actualizer who are building a full Debian operating system are affected. The vulnerability requires manual intervention to reset passwords for the 'alpha' and 'root' accounts after upgrading to version 1.2.0.

Impact

The vulnerability compromises the integrity of password storage by using a fast hashing algorithm (SHA512) instead of a recommended slower algorithm (Yescript or Argon2i). This could lead to passwords being more easily cracked, especially with the availability of high-speed hardware.

Reproduction

The vulnerability can be reproduced by using Actualizer version 1.1.0 or earlier to create a Debian operating system. During this process, OpenSSL will hash passwords using SHA512, which is not the recommended practice. After the operating system is deployed, the 'alpha' and 'root' accounts will have passwords hashed with SHA512, creating a security risk.

Remediation

Users should upgrade to Actualizer version 1.2.0. After upgrading, it is necessary to manually reset the passwords for the 'alpha' and 'root' accounts to ensure they are hashed with the correct algorithm (Yescript), replacing the older SHA512 hashes.