ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability Oct 22 2014 02:35PM
Security Alert (Security_Alert emc com)

Hash: SHA1

ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability

EMC Identifier: ESA-2014-094

CVE Identifier: CVE-2014-4623

Severity Rating: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)

Affected products:

? EMC Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE) running Avamar 6.0.x, 6.1.x, and 7.0.x running with optional Password hardening package earlier than version


EMC ADS/AVE Password hardening package stores passwords using a weak cryptographic scheme that may be susceptible to password cracking attacks.


EMC ADS/AVE Password hardening package uses the DES-based traditional Unix crypt scheme that may be susceptible to brute force and dictionary attacks if the hashes are obtained by an adversary. The hardening package is an optional package and installed separately.


Customers using affected versions of Avamar ADS/AVE with the Password hardening package in use can refer to https://support.emc.com/kb/125553 for access and installation instructions for the updated Password hardening package version which resolves the issue. Alternatively, the issue can be mitigated by manually editing /etc/pam.d/common-password-pc and adding ?sha512? to the pam_unix.so line.

Note: All operating system passwords should be changed using the Avamar "change-passwords" utility once the fix has been applied.

Customers using affected versions may also upgrade their ADS or AVE servers to version 7.1 which includes the latest password hardening package.


EMC would like to thank Thorsten Tüllmann (researcher at KIT, Germany) and KIT-CERT for reporting this issue.

Link to remedies:

To upgrade to ADS or AVE version 7.1 or for any questions regarding this advisory please contact EMC customer support at https://support.emc.com.

EMC Product Security Response Center

security_alert (at) emc (dot) com [email concealed]

Version: GnuPG v1.4.13 (Cygwin)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus