Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext

From: security () caldera com
Date: Mon, 3 Jun 2002 13:58:59 -0700
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com


______________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                Volution Manager: Directory Administrator password in cleartext
Advisory number:        CSSA-2002-024.0
Issue date:             2002 June 3
Cross reference:
______________________________________________________________________________


1. Problem Description

        Volution Manager stores the unencrypted Directory
        Administrator's password in the /etc/ldap/slapd.conf file.

        This vulnerability will be corrected in the next release of
        Volution Manager.


2. Vulnerable Supported Versions


        System                          Package
        ----------------------------------------------------------------------
        Volution Manager 1.1            Standard


3. Solution

        Volution Manager stores the un-encrypted Directory
        Administrator's password in the /etc/ldap/slapd.conf file.
        The password line looks similar to this:

                rootpw          <clear_text_password>

        Caldera strongly recommends that you encrypt this password,
        using the following steps:

        As the root user, run slappasswd, entering your desired
        password at the prompts (the example uses newpasswd as the new
        password; the password will not be seen as you type it).

        # slappasswd
        New password: newpasswd
        Re-enter new password: newpasswd
        {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
        #

        The output is the new, encrypted password. In the file
        /etc/ldap/slapd.conf, replace the previous rootpw line with a
        line containing the new, encrypted password so that the line
        looks similar to this:

                rootpw          {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz


4. References

        Specific references for this advisory:
                none

        Caldera OpenLinux security resources:
                http://www.caldera.com/support/security/index.html

        Caldera UNIX security resources:
                http://stage.caldera.com/support/security/

        This security advisory closes Caldera incidents sr864231,
        erg501574.



5. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on this website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera products.

______________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: