Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext

From: securityat_private
Date: Mon Jun 03 2002 - 13:58:59 PDT

Next message: David F. Skoll: "MIME::Tools Perl module and virus scanners"

Previous message: awacsat_private: "Re: 2 security problem Quantum SNAP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqat_private announceat_private security-alertsat_private


______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Volution Manager: Directory Administrator password in cleartext
Advisory number: 	CSSA-2002-024.0
Issue date: 		2002 June 3
Cross reference:
______________________________________________________________________________


1. Problem Description

	Volution Manager stores the unencrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.

	This vulnerability will be corrected in the next release of
	Volution Manager.


2. Vulnerable Supported Versions


	System				Package
	----------------------------------------------------------------------
	Volution Manager 1.1		Standard


3. Solution

	Volution Manager stores the un-encrypted Directory
	Administrator's password in the /etc/ldap/slapd.conf file.
	The password line looks similar to this:

		rootpw		<clear_text_password>

	Caldera strongly recommends that you encrypt this password,
	using the following steps:

	As the root user, run slappasswd, entering your desired
	password at the prompts (the example uses newpasswd as the new
	password; the password will not be seen as you type it).

	# slappasswd
	New password: newpasswd
	Re-enter new password: newpasswd
	{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
	#

	The output is the new, encrypted password. In the file
	/etc/ldap/slapd.conf, replace the previous rootpw line with a
	line containing the new, encrypted password so that the line
	looks similar to this:

		rootpw		{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz


4. References

	Specific references for this advisory:
		none

	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security advisory closes Caldera incidents sr864231,
	erg501574.



5. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.

______________________________________________________________________________

application/pgp-signature attachment: stored

Next message: David F. Skoll: "MIME::Tools Perl module and virus scanners"
Previous message: awacsat_private: "Re: 2 security problem Quantum SNAP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 14:46:56 PDT