Executive Summary

Summary
Title Oracle Solaris 10 password hashes leaked through back-out patch files
Informations
Name VU#648244 First vendor Publication 2011-04-05
Vendor VU-CERT Last vendor Modification 2011-04-05
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#648244

Oracle Solaris 10 password hashes leaked through back-out patch files

Overview

Oracle Solaris 10 back-out patch files (undo.Z) contain password hashes which may be readable by unprivileged users.

I. Description

The root password hash along with other users' password hashes may be contained in the back-out patch files. In some instances, these files may be readable by unprivileged users. An unprivileged user can extract the password hashes from the file and perform a brute force attack on the password hashes in an attempt to recover the password.

II. Impact

An attacker may be able to obtain the credentials for the root or other user accounts.

III. Solution

Apply an Update

Install patch 119254-80. Patch 119254-80 is also part of the April 1st recommended patch set for Solaris 10.

Restrict Access
System administrators should make sure the permissions for back-out patch files are not world-readable. These can typically be found at /var/sadm/pkg/<pkgname>/save/<patchid>/undo.Z.

Vendor Information

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected2011-01-24

References

Credit

Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:2011-04-05
Date First Published:2011-04-05
Date Last Updated:2011-04-05
CERT Advisory: 
CVE-ID(s):CVE-2011-0412
NVD-ID(s):CVE-2011-0412
US-CERT Technical Alerts: 
Severity Metric:0.54
Document Revision:23

Original Source

Url : http://www.kb.cert.org/vuls/id/648244

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19456
 
Oval ID: oval:org.mitre.oval:def:19456
Title: CRITICAL PATCH UPDATE APRIL 2011
Description: Oracle Solaris 8, 9, and 10 stores back-out patch files (undo.Z) unencrypted with world-readable permissions under /var/sadm/pkg/, which allows local users to obtain password hashes and conduct brute force password guessing attacks.
Family: unix Class: vulnerability
Reference(s): CVE-2011-0412
Version: 3
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 3

Open Source Vulnerability Database (OSVDB)

Id Description
71646 Oracle Solaris Backout File (undo.Z) Permissions Weakness Password Hash Local...

Nessus® Vulnerability Scanner

Date Description
2006-09-04 Name : The remote host is missing Sun Security Patch number 119255-93
File : solaris10_x86_119255.nasl - Type : ACT_GATHER_INFO
2006-08-21 Name : The remote host is missing Sun Security Patch number 119254-93
File : solaris10_119254.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 110934-28
File : solaris8_110934.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 110935-28
File : solaris8_x86_110935.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 113713-30
File : solaris9_113713.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114568-29
File : solaris9_x86_114568.nasl - Type : ACT_GATHER_INFO