 |
Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | ||
| Test Kennung: | 1.3.6.1.4.1.25623.1.0.850170 |
| Kategorie: | SuSE Local Security Checks |
| Titel: | SUSE: Security Advisory for glibc, pam-modules, libxcrypt, pwdutils (SUSE-SA:2011:035) |
| Zusammenfassung: | The remote host is missing an update for the 'glibc, pam-modules, libxcrypt, pwdutils'; package(s) announced via the referenced advisory. |
| Beschreibung: | Summary: The remote host is missing an update for the 'glibc, pam-modules, libxcrypt, pwdutils' package(s) announced via the referenced advisory. Vulnerability Insight: The implementation of the blowfish based password hashing method had a bug affecting passwords that contain 8bit characters (e.g. umlauts). Affected passwords are potentially faster to crack via brute force methods CVE-2011-2483. SUSE's crypt() implementation supports the blowfish password hashing function (id $2a) and system logins by default also use this method. This update eliminates the bug in the $2a implementation. After installing the update existing $2a hashes therefore no longer match hashes generated with the new, correct implementation if the password contains 8bit characters. For system logins via PAM the pam_unix2 module activates a compat mode and keeps processing existing $2a hashes with the old algorithm. This ensures no user gets locked out. New password hashes are created with the id &qt $2y &qt to unambiguously identify them as generated with the correct implementation. Services that do not use PAM but do use crypt() to store passwords using the blowfish hash do not have such a compat mode. That means users with 8bit passwords that use such services will not be able to log in anymore after the update. As workaround administrators may edit the service's password database and change stored hashes from $2a to $2x. This will result in crypt() using the old algorithm. Users should be required to change their passwords to make sure they are migrated to the correct algorithm. Vulnerability Impact: weak password hashing algorithm Affected Software/OS: glibc, pam-modules, libxcrypt, pwdutils on openSUSE 11.3, openSUSE 11.4, SUSE SLES 9 Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2011-2483 http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html BugTraq ID: 49241 http://www.securityfocus.com/bid/49241 Debian Security Information: DSA-2340 (Google Search) http://www.debian.org/security/2011/dsa-2340 Debian Security Information: DSA-2399 (Google Search) http://www.debian.org/security/2012/dsa-2399 http://www.mandriva.com/security/advisories?name=MDVSA-2011:165 http://www.mandriva.com/security/advisories?name=MDVSA-2011:178 http://www.mandriva.com/security/advisories?name=MDVSA-2011:179 http://www.mandriva.com/security/advisories?name=MDVSA-2011:180 http://freshmeat.net/projects/crypt_blowfish http://www.redhat.com/support/errata/RHSA-2011-1377.html http://www.redhat.com/support/errata/RHSA-2011-1378.html http://www.redhat.com/support/errata/RHSA-2011-1423.html SuSE Security Announcement: SUSE-SA:2011:035 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00015.html http://www.ubuntu.com/usn/USN-1229-1 XForce ISS Database: php-cryptblowfish-info-disclosure(69319) https://exchange.xforce.ibmcloud.com/vulnerabilities/69319 |
| Copyright | Copyright (C) 2011 Greenbone Networks GmbH |
| Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |