BugTraq
[LWSA-2010-001] Likewise Open 5.4 & 6.0 Jul 26 2010 03:19PM
Gerald Carter (gcarter likewise com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_____________________________________________________________

Likewise Security Advisory LWSA-2010-001
http://www.likewise.com/
_____________________________________________________________

Package : Likewise Open
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046)
Likewise-CIFS 5.4 (prior to build 8046)
Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833
_____________________________________________________________

Summary:

A logic flaw has been found in the pam_lsass library that,
when run under the context of a root service (e.g. sshd,
gdm, etc.), will allow any user to logon as a lsassd
local-provider account (e.g. MACHINE\Administrator) if
the account's password is marked as expired. The cause
is that the pam_lsass library uses SetPassword logic when
detecting that the uid is 0 therefore not requiring
that the intruder validate against the expired password
before being allowed to specify a new password.

All Likewise Open users are encouraged to upgrade to
the latest released packages for their version or to
to employ the stated workaround until such a time when
an upgrade may be performed.

This defect was first reported by Matt Weatherford from
the University of Washington. Our thanks to Matt for
helping improve Likewise Open.
_____________________________________________________________

Workaround:

Explicitly disabling the MACHINE\Administrator (or any
other lsassd local-provider accounts not in use) will
prevent unauthorized access. This may be done by running
the following command as the local superuser. Replace
<MACHINE> with the hostname of the local system

$ lw-mod-user --disable-user "<MACHINE>\Administrator"

You may verify that the account is disabled by running the
lw-find-user-by-name command

$ lw-find-user-by-name --level 2 "MACHINE\Administrator"
...
Account disabled (or locked): TRUE
_____________________________________________________________

Updated Packages:

New packages for both Likewise Open 5.4 and Likewise Open
6.0 have been made available from

http://www.likewise.com/products/likewise_open/
_____________________________________________________________
Likewise Security Team security (at) likewise (dot) com [email concealed]
http://www.likewise.com/
_____________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFMTaeEIR7qMdg1EfYRAmVHAJ9HdRQ0ZqZv7upK7zelFs5ngsQ1iQCghA/m
gBLjKaq4DbZ1hHO4TGtbmyQ=
=eUL5
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus