2014 m. spalio 27 d., pirmadienis

ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability


ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability EMC Identifier: ESA-2014-094 CVE Identifier: CVE-2014-4623 Severity Rating: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Affected products: ? EMC Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE) running Avamar 6.0.x, 6.1.x, and 7.0.x running with optional Password hardening package earlier than version 2.0.0.4 Summary: EMC ADS/AVE Password hardening package stores passwords using a weak cryptographic scheme that may be susceptible to password cracking attacks. Details: EMC ADS/AVE Password hardening package uses the DES-based traditional Unix crypt scheme that may be susceptible to brute force and dictionary attacks if the hashes are obtained by an adversary. The hardening package is an optional package and installed separately.
Resolution: Customers using affected versions of Avamar ADS/AVE with the Password hardening package in use can refer to https://support.emc.com/kb/125553 for access and installation instructions for the updated Password hardening package version 2.0.0.4 which resolves the issue. Alternatively, the issue can be mitigated by manually editing /etc/pam.d/common-password-pc and adding ?sha512? to the pam_unix.so line. Note: All operating system passwords should be changed using the Avamar "change-passwords" utility once the fix has been applied. Customers using affected versions may also upgrade their ADS or AVE servers to version 7.1 which includes the latest password hardening package. Credits: EMC would like to thank Thorsten T?llmann (researcher at KIT, Germany) and KIT-CERT for reporting this issue. Link to remedies: To upgrade to ADS or AVE version 7.1 or for any questions regarding this advisory please contact EMC customer support at https://support.emc.com. EMC Product Security Response Center security_alert@emc.com

Komentarų nėra:

Rašyti komentarą