-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _____________________________________________________________ Likewise Security Advisory LWSA-2010-001 http://www.likewise.com/ _____________________________________________________________ Package : Likewise Open Service : Likewise Security Authority (lsassd) Date : 26-July-2010 Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD Versions : Likewise Open 5.4 (prior to build 8046) Likewise-CIFS 5.4 (prior to build 8046) Likewise Open 6.0 (prior to build 8234) CVE(s) : CVE-2010-0833 _____________________________________________________________ Summary: A logic flaw has been found in the pam_lsass library that, when run under the context of a root service (e.g. sshd, gdm, etc.), will allow any user to logon as a lsassd local-provider account (e.g. MACHINE\Administrator) if the account's password is marked as expired. The cause is that the pam_lsass library uses SetPassword logic when detecting that the uid is 0 therefore not requiring that the intruder validate against the expired password before being allowed to specify a new password. All Likewise Open users are encouraged to upgrade to the latest released packages for their version or to to employ the stated workaround until such a time when an upgrade may be performed. This defect was first reported by Matt Weatherford from the University of Washington. Our thanks to Matt for helping improve Likewise Open. _____________________________________________________________ Workaround: Explicitly disabling the MACHINE\Administrator (or any other lsassd local-provider accounts not in use) will prevent unauthorized access. This may be done by running the following command as the local superuser. Replace <MACHINE> with the hostname of the local system $ lw-mod-user --disable-user "<MACHINE>\Administrator" You may verify that the account is disabled by running the lw-find-user-by-name command $ lw-find-user-by-name --level 2 "MACHINE\Administrator" ... Account disabled (or locked): TRUE _____________________________________________________________ Updated Packages: New packages for both Likewise Open 5.4 and Likewise Open 6.0 have been made available from http://www.likewise.com/products/likewise_open/ _____________________________________________________________ Likewise Security Team security (at) likewise (dot) com [email concealed] http://www.likewise.com/ _____________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFMTaeEIR7qMdg1EfYRAmVHAJ9HdRQ0ZqZv7upK7zelFs5ngsQ1iQCghA/m gBLjKaq4DbZ1hHO4TGtbmyQ= =eUL5 -----END PGP SIGNATURE-----