[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability   

EMC Identifier: ESA-2014-094
 
CVE Identifier: CVE-2014-4623

Severity Rating: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)

Affected products: 
?	EMC Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE) running Avamar 6.0.x, 6.1.x, and 7.0.x running with optional Password hardening package earlier than version 2.0.0.4

Summary: 
EMC ADS/AVE Password hardening package stores passwords using a weak cryptographic scheme that may be susceptible to password cracking attacks.  
Details: 
EMC ADS/AVE Password hardening package uses the DES-based traditional Unix crypt scheme that may be susceptible to brute force and dictionary attacks if the hashes are obtained by an adversary. The hardening package is an optional package and installed separately. 

Resolution: 

Customers using affected versions of Avamar ADS/AVE with the Password hardening package in use can refer to https://support.emc.com/kb/125553 for access and installation instructions for the updated Password hardening package version 2.0.0.4 which resolves the issue.  Alternatively, the issue can be mitigated by manually editing /etc/pam.d/common-password-pc and adding ?sha512? to the pam_unix.so line.

Note: All operating system passwords should be changed using the Avamar "change-passwords" utility once the fix has been applied.

Customers using affected versions may also upgrade their ADS or AVE servers to version 7.1 which includes the latest password hardening package.

Credits:

EMC would like to thank Thorsten Tüllmann (researcher at KIT, Germany) and KIT-CERT for reporting this issue.

Link to remedies:

To upgrade to ADS or AVE version 7.1 or for any questions regarding this advisory please contact EMC customer support at https://support.emc.com. 

EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlRHvpAACgkQtjd2rKp+ALygSACg2Bcc40PhcTjWPmFe/0dUKjcz
k5cAn2IWS1bAkzvEPdlflgw5XCChSbRH
=tRpN
-----END PGP SIGNATURE-----