Date: Mon, 3 Jun 2002 13:58:59 -0700
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext
--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Volution Manager: Directory Administrator password in cleartext
Advisory number: CSSA-2002-024.0
Issue date: 2002 June 3
Cross reference:
______________________________________________________________________________
1. Problem Description
Volution Manager stores the unencrypted Directory
Administrator's password in the /etc/ldap/slapd.conf file.
This vulnerability will be corrected in the next release of
Volution Manager.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
Volution Manager 1.1 Standard
3. Solution
Volution Manager stores the un-encrypted Directory
Administrator's password in the /etc/ldap/slapd.conf file.
The password line looks similar to this:
rootpw <clear_text_password>
Caldera strongly recommends that you encrypt this password,
using the following steps:
As the root user, run slappasswd, entering your desired
password at the prompts (the example uses newpasswd as the new
password; the password will not be seen as you type it).
# slappasswd
New password: newpasswd
Re-enter new password: newpasswd
{SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
#
The output is the new, encrypted password. In the file
/etc/ldap/slapd.conf, replace the previous rootpw line with a
line containing the new, encrypted password so that the line
looks similar to this:
rootpw {SSHA}AvcGnFPjUCqbIs/Ki8XfiOYJwttfwnRz
4. References
Specific references for this advisory:
none
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
This security advisory closes Caldera incidents sr864231,
erg501574.
5. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
______________________________________________________________________________
--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjz72JMACgkQbluZssSXDTFGYQCfX0cnLbZoZjuVYlv/oMgkdRWd
ZyQAniNtDNeeCoU8zZfWkbsC03tx5Bp1
=Hb6I
-----END PGP SIGNATURE-----
--GvXjxJ+pjyke8COw--
