Comment 52 for bug 534629

  Folks, versions prior to 8046 have a security flaw - Get something
newer, if you can find it .... see the advisory below:

Likewise Software has posted a security advisor on our Likewise Open
forum announcements
http://cts.vresp.com/c/?LikewiseSoftware/a4f78d058f/1b43a64120/5eac187271.
  This notice is to inform you of a critical update to specific
Likewise Open packages that we have made available on our product
download site. Below is a copy of the security advisory message.

_____________________________________________________________

Likewise Security Advisory LWSA-2010-001
http://cts.vresp.com/c/?LikewiseSoftware/a4f78d058f/1b43a64120/6600c07eb4

_____________________________________________________________

Package : Likewise Open
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046)
       Likewise-CIFS 5.4 (prior to build 8046)
       Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833
_____________________________________________________________

Summary:

   A logic flaw has been found in the pam_lsass library that,
   when run under the context of a root service (e.g. sshd,
   gdm, etc.), will allow any user to logon as a lsassd
   local-provider account (e.g. MACHINE\Administrator) if
   the account's password is marked as expired. The cause
   is that the pam_lsass library uses SetPassword logic when
   detecting that the uid is 0 therefore not requiring
   that the intruder validate against the expired password
   before being allowed to specify a new password.

   All Likewise Open users are encouraged to upgrade to
   the latest released packages for their version or to
   to employ the stated workaround until such a time when
   an upgrade may be performed.

   This defect was first reported by Matt Weatherford from
   the University of Washington. Our thanks to Matt for
   helping improve Likewise Open.
_____________________________________________________________

Workaround:

   Explicitly disabling the MACHINE\Administrator (or any
   other lsassd local-provider accounts not in use) will
   prevent unauthorized access. This may be done by running
   the following command as the local superuser. Replace
    with the hostname of the local system

     $ lw-mod-user --disable-user "\Administrator"

   You may verify that the account is disabled by running the
   lw-find-user-by-name command

     $ lw-find-user-by-name --level 2 "MACHINE\Administrator"
     ...
     Account disabled (or locked): TRUE
_____________________________________________________________

Updated Packages:

   New packages for both Likewise Open 5.4 and Likewise Open
   6.0 have been made available from

http://cts.vresp.com/c/?LikewiseSoftware/a4f78d058f/1b43a64120/5976b460b8.

http://www.likewise.com/download

_____________________________________________________________
Likewise Security Team <email address hidden>
http://cts.vresp.com/c/?LikewiseSoftware/a4f78d058f/1b43a64120/ea59d7255f

_____________________________________________________________

______________________________________________________________________
This message was sent by Likewise Software using VerticalResponse

Likewise Software
15395 SE 30th Pl
Suite 140
Bellevue, Washington 98007

On 8/3/2010 11:44 AM, Tony Shadwick wrote:
> Going to give this a shot:
>
> http://www.likewise.com/bits/summer09/8040/LikewiseIdentityServiceOpen-5.4.0.8040-linux-x86_64
> -deb-installer
>
> I'll report how it goes - this is the most recent build available after
> 7985. One would hope the problem did not spring back up in the later
> build...
>