[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability

To: "'dm@xxxxxxxxxxxxxxxxx'" <dm@xxxxxxxxxxxxxxxxx>, "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability
From: Security Alert <Security_Alert@xxxxxxx>
Date: Wed, 22 Oct 2014 14:35:16 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability   

EMC Identifier: ESA-2014-094
 
CVE Identifier: CVE-2014-4623

Severity Rating: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)

Affected products: 
?       EMC Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE) 
running Avamar 6.0.x, 6.1.x, and 7.0.x running with optional Password hardening 
package earlier than version 2.0.0.4

Summary: 
EMC ADS/AVE Password hardening package stores passwords using a weak 
cryptographic scheme that may be susceptible to password cracking attacks.  
Details: 
EMC ADS/AVE Password hardening package uses the DES-based traditional Unix 
crypt scheme that may be susceptible to brute force and dictionary attacks if 
the hashes are obtained by an adversary. The hardening package is an optional 
package and installed separately. 

Resolution: 

Customers using affected versions of Avamar ADS/AVE with the Password hardening 
package in use can refer to https://support.emc.com/kb/125553 for access and 
installation instructions for the updated Password hardening package version 
2.0.0.4 which resolves the issue.  Alternatively, the issue can be mitigated by 
manually editing /etc/pam.d/common-password-pc and adding ?sha512? to the 
pam_unix.so line.

Note: All operating system passwords should be changed using the Avamar 
"change-passwords" utility once the fix has been applied.

Customers using affected versions may also upgrade their ADS or AVE servers to 
version 7.1 which includes the latest password hardening package.

Credits:

EMC would like to thank Thorsten Tüllmann (researcher at KIT, Germany) and 
KIT-CERT for reporting this issue.

Link to remedies:

To upgrade to ADS or AVE version 7.1 or for any questions regarding this 
advisory please contact EMC customer support at https://support.emc.com. 

EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlRHvpAACgkQtjd2rKp+ALygSACg2Bcc40PhcTjWPmFe/0dUKjcz
k5cAn2IWS1bAkzvEPdlflgw5XCChSbRH
=tRpN
-----END PGP SIGNATURE-----

Prev by Date: ESA-2014-087: EMC NetWorker Module for MEDITECH (NMMEDI) Information Disclosure Vulnerability
Next by Date: ESA-2014-096: EMC Avamar Sensitive Information Disclosure Vulnerability
Previous by thread: ESA-2014-087: EMC NetWorker Module for MEDITECH (NMMEDI) Information Disclosure Vulnerability
Next by thread: ESA-2014-096: EMC Avamar Sensitive Information Disclosure Vulnerability
Index(es):
- Date
- Thread