Oracle Solaris 10 password hashes leaked through back-out patch files

Overview

Oracle Solaris 10 back-out patch files (undo.Z) contain password hashes which may be readable by unprivileged users.

Description

The root password hash along with other users’ password hashes may be contained in the back-out patch files. In some instances, these files may be readable by unprivileged users. An unprivileged user can extract the password hashes from the file and perform a brute force attack on the password hashes in an attempt to recover the password.

---

Impact

An attacker may be able to obtain the credentials for the root or other user accounts.

---

Solution

Apply an Update

Install patch 119254-80. Patch 119254-80 is also part of the April 1st recommended patch set for Solaris 10.

---

Restrict Access

System administrators should make sure the permissions for back-out patch files are not world-readable. These can typically be found at /var/sadm/pkg/<pkgname>/save/<patchid>/undo.Z.

---

Vendor Information

648244

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Oracle Corporation Affected

Updated: January 24, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2011-0412
Severity Metric:	0.54 Date Public: