Rapid7 Vulnerability & Exploit Database

RHSA-2011:0170: libuser security update

Back to Search

RHSA-2011:0170: libuser security update

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
01/22/2011
Created
07/25/2018
Added
01/25/2011
Modified
07/04/2017

Description

The libuser library implements a standardized interface for manipulatingand administering user and group accounts. Sample applications that aremodeled after applications from the shadow password suite (shadow-utils)are included in these packages.It was discovered that libuser did not set the password entry correctlywhen creating LDAP (Lightweight Directory Access Protocol) users. If anadministrator did not assign a password to an LDAP based user account,either at account creation with luseradd, or with lpasswd after accountcreation, an attacker could use this flaw to log into that account with adefault password string that should have been rejected. (CVE-2011-0002)Note: LDAP administrators that have used libuser tools to add users shouldcheck existing user accounts for plain text passwords, and reset them asnecessary.Users of libuser should upgrade to these updated packages, which contain abackported patch to correct this issue.

Solution(s)

  • redhat-upgrade-libuser
  • redhat-upgrade-libuser-debuginfo
  • redhat-upgrade-libuser-devel
  • redhat-upgrade-libuser-python

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;