Date: Thu, 14 Feb 2002 12:17:25 -0800
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-SCO.5] Open UNIX, UnixWare 7: encrypted password disclosure
--ikeVEW9yuYc//A+q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.=
on.ca
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Open UNIX, UnixWare 7: encrypted password disclosure
Advisory number: CSSA-2002-SCO.5
Issue date: 2002 February 14
Cross reference:
___________________________________________________________________________
1. Problem Description
=09
After installation of the product, the file /var/adm/isl/ifile
is left readable by all users. This file contains, among other
things, the encrypted root password, and the encrypted owner
password.
2. Vulnerable Supported Versions
Operating System Version Affected Files
------------------------------------------------------------------
UnixWare 7 All /var/adm/isl/ifile
Open UNIX 8.0.0 /var/adm/isl/ifile
3. Solution
Caldera recommends that all affected systems change the file
modes of /var/adm/isl/ifile to be readable only by root:
# chmod 400 /var/adm/isl/ifile
In addition, Caldera also recommends that you change the root
and owner passwords.
=09
4. References
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.5/
This and other advisories are located at
http://stage.caldera.com/support/security
This advisory addresses Caldera Security internal incidents
sr860350, fz520151.
5. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
6. Acknowledgements
Caldera wishes to thank Derryle Gogel <gogeld@citifinancial.com>,
who discovered and researched this vulnerability.
=20
___________________________________________________________________________
--ikeVEW9yuYc//A+q
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjxsG1UACgkQaqoBO7ipriG/5wCfdjhK3ZPgqkAVn7v8+XutjqeG
VekAn3FWKHGKWuG4XZOgvfFIvp8AdaGS
=0L5u
-----END PGP SIGNATURE-----
--ikeVEW9yuYc//A+q--
