A while back I was looking at Sun's WBEM (Web-Based Enterprise Management) and noticed that the preinstall script asked for a password. According to the way that Sun's packaging works, for the password to be used during the installation the password would need to be stored in a file. Sure 'nuf-- it was stored in /var/sadm/pkg/SUNWwbcor/pkginfo. If you have installed WBEM and have not changed the admin password, I suggest changing the password. I have reported this bug to Sun. My report and Sun's response appear below. I see no indication at http://www.sun.com/solaris/wbem/ that a new version is available. It does appear (from a bug report in the Sunsolve database) that the Solaris 8 beta includes WBEM 2.0. Without authenticating, a search for wbem at http://sunsolve.sun.com/ reveals no documents unless I authenticate with my support login and password. Using my support login, I still can find no mention of this installation bug. Jim-- is there any word on a publicly available fix for this? When will Sun release a security patch related to this? Since everyone had to register to download a copy of WBEM 1.0, will Sun send an announcement to those that downloaded it notifying them of the vulernability? Mike ----- Forwarded message from Jim Davis <james.d.davisat_private> ----- Date: Fri, 05 Nov 1999 14:13:43 -0500 From: Jim Davis <james.d.davisat_private> To: Michael Gerdts <gerdtsat_private> CC: wbem-interestat_private Subject: Re: SECURITY: plaintext admin password stored in world readable file Hi Mike, This is no longer asked in the latest version. This version will be posted to the web in the next 3 - 4 weeks, Jim Davis Michael Gerdts wrote: > During the installation of SUNWwbcor 1.0, the installer is prompted for a > password by the package's request script. That password is then stored in > plain text in /var/sadm/pkg/SUNWwbcor/pkginfo, which is a world-readable > file. This seems to be a necessary evil, given the specifications of the > Solaris software packaging scheme. > > Please add a step to the installation instructions that explains this > vulernability and instructs people to change the admin password. > > Mike > > -- > Mike Gerdts > UNIX Systems Administrator > Computer-Aided Engineering Center > University of Wisconsin - Madison ----- End forwarded message ----- -- Mike Gerdts UNIX Systems Administrator Computer-Aided Engineering Center University of Wisconsin - Madison
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:14 PDT