CVE-2016-20013

Vulnerability

sha256crypt and sha512crypt through version 0.6 implement password hashing where the computational cost grows quadratically with the password length. Specifically, the algorithm's runtime is proportional to the square of the password length, allowing an attacker to cause excessive CPU consumption by providing a long password input. This affects all systems using these algorithms, as documented in the official specification [1]. The vulnerable versions are those up to and including 0.6 of the SHA-crypt specification.

Exploitation

An attacker can trigger a denial of service by submitting a password of sufficient length to any service or application that uses sha256crypt or sha512crypt for password hashing. No special authentication or network position is required; the attacker simply needs to supply a payload (a long password) to the hashing function. For example, sending a long password during login or account creation can cause the server to consume significant CPU resources while computing the hash, potentially exhausting available processing capacity.

Impact

Successful exploitation leads to a denial of service (CPU exhaustion) condition. The attacker causes the target system to spend excessive computing time on hashing a single password, which may degrade performance or render the system unresponsive for other users. There is no direct data confidentiality or integrity compromise; the impact is strictly on availability through resource starvation.

Mitigation

Not yet disclosed in the available references [1]. System administrators should check if their libcrypt or password hashing library provides a patched version that limits password length or implements a constant-time cost factor. If no updated library is available, a workaround is to restrict the maximum password length accepted by applications, thereby capping the CPU expenditure per request.