From security@caldera.com Fri Feb 15 00:32:32 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, scoannmod@xenitec.on.ca Date: Thu, 14 Feb 2002 12:17:25 -0800 Subject: Security Update: [CSSA-2002-SCO.5] Open UNIX, UnixWare 7: encrypted password disclosure To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca ___________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Open UNIX, UnixWare 7: encrypted password disclosure Advisory number: CSSA-2002-SCO.5 Issue date: 2002 February 14 Cross reference: ___________________________________________________________________________ 1. Problem Description After installation of the product, the file /var/adm/isl/ifile is left readable by all users. This file contains, among other things, the encrypted root password, and the encrypted owner password. 2. Vulnerable Supported Versions Operating System Version Affected Files ------------------------------------------------------------------ UnixWare 7 All /var/adm/isl/ifile Open UNIX 8.0.0 /var/adm/isl/ifile 3. Solution Caldera recommends that all affected systems change the file modes of /var/adm/isl/ifile to be readable only by root: # chmod 400 /var/adm/isl/ifile In addition, Caldera also recommends that you change the root and owner passwords. 4. References ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.5/ This and other advisories are located at http://stage.caldera.com/support/security This advisory addresses Caldera Security internal incidents sr860350, fz520151. 5. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on our website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 6. Acknowledgements Caldera wishes to thank Derryle Gogel , who discovered and researched this vulnerability. ___________________________________________________________________________ [Part 2, Application/PGP-SIGNATURE 245bytes] [Unable to print this part]