Executive Summary

Summary
Titlelibuser security update
Informations
NameRHSA-2011:0170First vendor Publication2011-01-20
VendorRedHatLast vendor Modification2011-01-20
Severity (Vendor) ModerateRevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Cvss Base Score6.4Attack RangeNetwork
Cvss Impact Score4.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated libuser packages that fix one security issue are now available for
Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

The libuser library implements a standardized interface for manipulating
and administering user and group accounts. Sample applications that are
modeled after applications from the shadow password suite (shadow-utils)
are included in these packages.

It was discovered that libuser did not set the password entry correctly
when creating LDAP (Lightweight Directory Access Protocol) users. If an
administrator did not assign a password to an LDAP based user account,
either at account creation with luseradd, or with lpasswd after account
creation, an attacker could use this flaw to log into that account with a
default password string that should have been rejected. (CVE-2011-0002)

Note: LDAP administrators that have used libuser tools to add users should
check existing user accounts for plain text passwords, and reset them as
necessary.

Users of libuser should upgrade to these updated packages, which contain a
backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

643227 - CVE-2011-0002 libuser creates LDAP users with a default password

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2011-0170.html

CWE : Common Weakness Enumeration

idName
CWE-310Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21850
 
Oval ID: oval:org.mitre.oval:def:21850
Title: RHSA-2011:0170: libuser security update (Moderate)
Description: libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.
Family: unix Class: patch
Reference(s): RHSA-2011:0170-01
CESA-2011:0170
CVE-2011-0002
Version: 4
Platform(s): Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 5
CentOS Linux 5
CentOS Linux 6
Product(s): libuser
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20643
 
Oval ID: oval:org.mitre.oval:def:20643
Title: VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
Description: libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0002
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23349
 
Oval ID: oval:org.mitre.oval:def:23349
Title: ELSA-2011:0170: libuser security update (Moderate)
Description: libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.
Family: unix Class: patch
Reference(s): ELSA-2011:0170-01
CVE-2011-0002
Version: 3
Platform(s): Oracle Linux 6
Oracle Linux 5
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23084
 
Oval ID: oval:org.mitre.oval:def:23084
Title: ELSA-2011:0170: libuser security update (Moderate)
Description: libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.
Family: unix Class: patch
Reference(s): ELSA-2011:0170-01
CVE-2011-0002
Version: 3
Platform(s): Oracle Linux 6
Oracle Linux 5
Oracle Linux 4
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application104

OpenVAS Exploits

DateDescription
2012-07-30Name : CentOS Update for libuser CESA-2011:0170 centos4 x86_64
File : nvt/gb_CESA-2011_0170_libuser_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for libuser CESA-2011:0170 centos5 x86_64
File : nvt/gb_CESA-2011_0170_libuser_centos5_x86_64.nasl
2011-08-09Name : CentOS Update for libuser CESA-2011:0170 centos5 i386
File : nvt/gb_CESA-2011_0170_libuser_centos5_i386.nasl
2011-02-11Name : CentOS Update for libuser CESA-2011:0170 centos4 i386
File : nvt/gb_CESA-2011_0170_libuser_centos4_i386.nasl
2011-01-31Name : Mandriva Update for libuser MDVSA-2011:019 (libuser)
File : nvt/gb_mandriva_MDVSA_2011_019.nasl
2011-01-24Name : Fedora Update for libuser FEDORA-2011-0316
File : nvt/gb_fedora_2011_0316_libuser_fc14.nasl
2011-01-24Name : Fedora Update for libuser FEDORA-2011-0320
File : nvt/gb_fedora_2011_0320_libuser_fc13.nasl
2011-01-21Name : RedHat Update for libuser RHSA-2011:0170-01
File : nvt/gb_RHSA-2011_0170-01_libuser.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
70421libuser luseradd Default Password Weakness

Information Assurance Vulnerability Management (IAVM)

DateDescription
2011-12-01IAVM : 2011-A-0160 - Multiple Vulnerabilities in VMware vCenter Server 4.0 and vCenter Update Mana...
Severity : Category I - VMSKEY : V0030769

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0170.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110120_libuser_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2011-10-28Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2011-0013.nasl - Type : ACT_GATHER_INFO
2011-02-06Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0170.nasl - Type : ACT_GATHER_INFO
2011-01-28Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-019.nasl - Type : ACT_GATHER_INFO
2011-01-24Name : The remote Fedora host is missing a security update.
File : fedora_2011-0316.nasl - Type : ACT_GATHER_INFO
2011-01-24Name : The remote Fedora host is missing a security update.
File : fedora_2011-0320.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0170.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:54:16
  • Multiple Updates