RHSA-2011:0170: libuser security update
Description
The libuser library implements a standardized interface for manipulatingand administering user and group accounts. Sample applications that aremodeled after applications from the shadow password suite (shadow-utils)are included in these packages.It was discovered that libuser did not set the password entry correctlywhen creating LDAP (Lightweight Directory Access Protocol) users. If anadministrator did not assign a password to an LDAP based user account,either at account creation with luseradd, or with lpasswd after accountcreation, an attacker could use this flaw to log into that account with adefault password string that should have been rejected. (CVE-2011-0002)Note: LDAP administrators that have used libuser tools to add users shouldcheck existing user accounts for plain text passwords, and reset them asnecessary.Users of libuser should upgrade to these updated packages, which contain abackported patch to correct this issue.
Solution(s)
- redhat-upgrade-libuser
- redhat-upgrade-libuser-debuginfo
- redhat-upgrade-libuser-devel
- redhat-upgrade-libuser-python
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center