Likewise Open 5.4 & 6.0 Multiple Vulns

2010.07.29
Credit: Gerald Carter
Risk: High
Local: No
Remote: Yes
CWE: CWE-287


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _____________________________________________________________ Likewise Security Advisory LWSA-2010-001 http://www.likewise.com/ _____________________________________________________________ Package : Likewise Open Service : Likewise Security Authority (lsassd) Date : 26-July-2010 Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD Versions : Likewise Open 5.4 (prior to build 8046) Likewise-CIFS 5.4 (prior to build 8046) Likewise Open 6.0 (prior to build 8234) CVE(s) : CVE-2010-0833 _____________________________________________________________ Summary: A logic flaw has been found in the pam_lsass library that, when run under the context of a root service (e.g. sshd, gdm, etc.), will allow any user to logon as a lsassd local-provider account (e.g. MACHINE\Administrator) if the account's password is marked as expired. The cause is that the pam_lsass library uses SetPassword logic when detecting that the uid is 0 therefore not requiring that the intruder validate against the expired password before being allowed to specify a new password. All Likewise Open users are encouraged to upgrade to the latest released packages for their version or to to employ the stated workaround until such a time when an upgrade may be performed. This defect was first reported by Matt Weatherford from the University of Washington. Our thanks to Matt for helping improve Likewise Open. _____________________________________________________________ Workaround: Explicitly disabling the MACHINE\Administrator (or any other lsassd local-provider accounts not in use) will prevent unauthorized access. This may be done by running the following command as the local superuser. Replace <MACHINE> with the hostname of the local system $ lw-mod-user --disable-user "<MACHINE>\Administrator" You may verify that the account is disabled by running the lw-find-user-by-name command $ lw-find-user-by-name --level 2 "MACHINE\Administrator" ... Account disabled (or locked): TRUE _____________________________________________________________ Updated Packages: New packages for both Likewise Open 5.4 and Likewise Open 6.0 have been made available from http://www.likewise.com/products/likewise_open/ _____________________________________________________________ Likewise Security Team security (at) likewise (dot) com [email concealed] http://www.likewise.com/ _____________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMTaeEIR7qMdg1EfYRAmVHAJ9HdRQ0ZqZv7upK7zelFs5ngsQ1iQCghA/m gBLjKaq4DbZ1hHO4TGtbmyQ= =eUL5 -----END PGP SIGNATURE-----

References:

http://www.likewise.com/community/index.php/forums/viewthread/772/
http://www.vupen.com/english/advisories/2010/1913
http://www.ubuntu.com/usn/USN-964-1
http://www.securityfocus.com/archive/1/archive/1/512643/100/0/threaded
http://secunia.com/advisories/40736
http://secunia.com/advisories/40725


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top