OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: securitycaldera.com
Date: Mon Jun 03 2002 - 15:58:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com security-alertslinuxsecurity.com

    ______________________________________________________________________________

                    Caldera International, Inc. Security Advisory

    Subject: Volution Manager: Directory Administrator password in cleartext
    Advisory number: CSSA-2002-024.0
    Issue date: 2002 June 3
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

            Volution Manager stores the unencrypted Directory
            Administrator's password in the /etc/ldap/slapd.conf file.

            This vulnerability will be corrected in the next release of
            Volution Manager.

    2. Vulnerable Supported Versions

            System Package
            ----------------------------------------------------------------------
            Volution Manager 1.1 Standard

    3. Solution

            Volution Manager stores the un-encrypted Directory
            Administrator's password in the /etc/ldap/slapd.conf file.
            The password line looks similar to this:

                    rootpw <clear_text_password>

            Caldera strongly recommends that you encrypt this password,
            using the following steps:

            As the root user, run slappasswd, entering your desired
            password at the prompts (the example uses newpasswd as the new
            password; the password will not be seen as you type it).

            # slappasswd
            New password: newpasswd
            Re-enter new password: newpasswd
            {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
            #

            The output is the new, encrypted password. In the file
            /etc/ldap/slapd.conf, replace the previous rootpw line with a
            line containing the new, encrypted password so that the line
            looks similar to this:

                    rootpw {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz

    4. References

            Specific references for this advisory:
                    none

            Caldera OpenLinux security resources:
                    http://www.caldera.com/support/security/index.html

            Caldera UNIX security resources:
                    http://stage.caldera.com/support/security/

            This security advisory closes Caldera incidents sr864231,
            erg501574.

    5. Disclaimer

            Caldera International, Inc. is not responsible for the misuse
            of any of the information we provide on this website and/or
            through our security advisories. Our advisories are a service
            to our customers intended to promote secure installation and
            use of Caldera products.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjz72JMACgkQbluZssSXDTFGYQCfX0cnLbZoZjuVYlv/oMgkdRWd
    ZyQAniNtDNeeCoU8zZfWkbsC03tx5Bp1
    =Hb6I
    -----END PGP SIGNATURE-----