Executive Summary
Summary | |
---|---|
Title | libuser security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:0170 | First vendor Publication | 2011-01-20 |
Vendor | RedHat | Last vendor Modification | 2011-01-20 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated libuser packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite (shadow-utils) are included in these packages. It was discovered that libuser did not set the password entry correctly when creating LDAP (Lightweight Directory Access Protocol) users. If an administrator did not assign a password to an LDAP based user account, either at account creation with luseradd, or with lpasswd after account creation, an attacker could use this flaw to log into that account with a default password string that should have been rejected. (CVE-2011-0002) Note: LDAP administrators that have used libuser tools to add users should check existing user accounts for plain text passwords, and reset them as necessary. Users of libuser should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 643227 - CVE-2011-0002 libuser creates LDAP users with a default password |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-0170.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20643 | |||
Oval ID: | oval:org.mitre.oval:def:20643 | ||
Title: | VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX | ||
Description: | libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-0002 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21850 | |||
Oval ID: | oval:org.mitre.oval:def:21850 | ||
Title: | RHSA-2011:0170: libuser security update (Moderate) | ||
Description: | libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0170-01 CESA-2011:0170 CVE-2011-0002 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 | Product(s): | libuser |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23084 | |||
Oval ID: | oval:org.mitre.oval:def:23084 | ||
Title: | DEPRECATED: ELSA-2011:0170: libuser security update (Moderate) | ||
Description: | libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0170-01 CVE-2011-0002 | Version: | 7 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | libuser |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23349 | |||
Oval ID: | oval:org.mitre.oval:def:23349 | ||
Title: | ELSA-2011:0170: libuser security update (Moderate) | ||
Description: | libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0170-01 CVE-2011-0002 | Version: | 6 |
Platform(s): | Oracle Linux 6 Oracle Linux 5 | Product(s): | libuser |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for libuser CESA-2011:0170 centos4 x86_64 File : nvt/gb_CESA-2011_0170_libuser_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for libuser CESA-2011:0170 centos5 x86_64 File : nvt/gb_CESA-2011_0170_libuser_centos5_x86_64.nasl |
2011-08-09 | Name : CentOS Update for libuser CESA-2011:0170 centos5 i386 File : nvt/gb_CESA-2011_0170_libuser_centos5_i386.nasl |
2011-02-11 | Name : CentOS Update for libuser CESA-2011:0170 centos4 i386 File : nvt/gb_CESA-2011_0170_libuser_centos4_i386.nasl |
2011-01-31 | Name : Mandriva Update for libuser MDVSA-2011:019 (libuser) File : nvt/gb_mandriva_MDVSA_2011_019.nasl |
2011-01-24 | Name : Fedora Update for libuser FEDORA-2011-0316 File : nvt/gb_fedora_2011_0316_libuser_fc14.nasl |
2011-01-24 | Name : Fedora Update for libuser FEDORA-2011-0320 File : nvt/gb_fedora_2011_0320_libuser_fc13.nasl |
2011-01-21 | Name : RedHat Update for libuser RHSA-2011:0170-01 File : nvt/gb_RHSA-2011_0170-01_libuser.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70421 | libuser luseradd Default Password Weakness By default, luseradd assigns a default password when no password is specified. This allows attackers to trivially access new user accounts, or accounts that have never had a password change. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2011-12-01 | IAVM : 2011-A-0160 - Multiple Vulnerabilities in VMware vCenter Server 4.0 and vCenter Update Mana... Severity : Category I - VMSKEY : V0030769 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2011-0013_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0170.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110120_libuser_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2011-10-28 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2011-0013.nasl - Type : ACT_GATHER_INFO |
2011-02-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0170.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-019.nasl - Type : ACT_GATHER_INFO |
2011-01-24 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0316.nasl - Type : ACT_GATHER_INFO |
2011-01-24 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0320.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0170.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:16 |
|