[LWSA-2010-001] Likewise Open 5.4 & 6.0 Jul 26 2010 03:19PM
Gerald Carter (gcarter likewise com)
Hash: SHA1


Likewise Security Advisory LWSA-2010-001

Package : Likewise Open
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046)
Likewise-CIFS 5.4 (prior to build 8046)
Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833


A logic flaw has been found in the pam_lsass library that,
when run under the context of a root service (e.g. sshd,
gdm, etc.), will allow any user to logon as a lsassd
local-provider account (e.g. MACHINE\Administrator) if
the account's password is marked as expired. The cause
is that the pam_lsass library uses SetPassword logic when
detecting that the uid is 0 therefore not requiring
that the intruder validate against the expired password
before being allowed to specify a new password.

All Likewise Open users are encouraged to upgrade to
the latest released packages for their version or to
to employ the stated workaround until such a time when
an upgrade may be performed.

This defect was first reported by Matt Weatherford from
the University of Washington. Our thanks to Matt for
helping improve Likewise Open.


Explicitly disabling the MACHINE\Administrator (or any
other lsassd local-provider accounts not in use) will
prevent unauthorized access. This may be done by running
the following command as the local superuser. Replace
<MACHINE> with the hostname of the local system

$ lw-mod-user --disable-user "<MACHINE>\Administrator"

You may verify that the account is disabled by running the
lw-find-user-by-name command

$ lw-find-user-by-name --level 2 "MACHINE\Administrator"
Account disabled (or locked): TRUE

Updated Packages:

New packages for both Likewise Open 5.4 and Likewise Open
6.0 have been made available from

Likewise Security Team security (at) likewise (dot) com [email concealed]

Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus