Folks, versions prior to 8046 have a security flaw - Get something
newer, if you can find it .... see the advisory below:
Likewise Software has posted a security advisor on our Likewise Open
forum announcements http://cts.vresp.com/c/?LikewiseSoftware/a4f78d058f/1b43a64120/5eac187271.
This notice is to inform you of a critical update to specific
Likewise Open packages that we have made available on our product
download site. Below is a copy of the security advisory message.
Package : Likewise Open
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046) Likewise-CIFS 5.4 (prior to build 8046)
Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833
_____________________________________________________________
Summary:
A logic flaw has been found in the pam_lsass library that,
when run under the context of a root service (e.g. sshd,
gdm, etc.), will allow any user to logon as a lsassd
local-provider account (e.g. MACHINE\Administrator) if
the account's password is marked as expired. The cause
is that the pam_lsass library uses SetPassword logic when
detecting that the uid is 0 therefore not requiring
that the intruder validate against the expired password
before being allowed to specify a new password.
All Likewise Open users are encouraged to upgrade to
the latest released packages for their version or to
to employ the stated workaround until such a time when
an upgrade may be performed.
This defect was first reported by Matt Weatherford from
the University of Washington. Our thanks to Matt for
helping improve Likewise Open.
_____________________________________________________________
Workaround:
Explicitly disabling the MACHINE\Administrator (or any
other lsassd local-provider accounts not in use) will
prevent unauthorized access. This may be done by running
the following command as the local superuser. Replace
with the hostname of the local system
$ lw-mod-user --disable-user "\Administrator"
You may verify that the account is disabled by running the
lw-find-user-by-name command
Folks, versions prior to 8046 have a security flaw - Get something
newer, if you can find it .... see the advisory below:
Likewise Software has posted a security advisor on our Likewise Open cts.vresp. com/c/? LikewiseSoftwar e/a4f78d058f/ 1b43a64120/ 5eac187271.
forum announcements
http://
This notice is to inform you of a critical update to specific
Likewise Open packages that we have made available on our product
download site. Below is a copy of the security advisory message.
_______ _______ _______ _______ _______ _______ _______ _______ _____
Likewise Security Advisory LWSA-2010-001 cts.vresp. com/c/? LikewiseSoftwar e/a4f78d058f/ 1b43a64120/ 6600c07eb4
http://
_______ _______ _______ _______ _______ _______ _______ _______ _____
Package : Likewise Open
Likewise- CIFS 5.4 (prior to build 8046) _______ _______ _______ _______ _______ _______ _______ _____
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046)
Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833
_______
Summary:
A logic flaw has been found in the pam_lsass library that, Administrator) if
when run under the context of a root service (e.g. sshd,
gdm, etc.), will allow any user to logon as a lsassd
local-provider account (e.g. MACHINE\
the account's password is marked as expired. The cause
is that the pam_lsass library uses SetPassword logic when
detecting that the uid is 0 therefore not requiring
that the intruder validate against the expired password
before being allowed to specify a new password.
All Likewise Open users are encouraged to upgrade to
the latest released packages for their version or to
to employ the stated workaround until such a time when
an upgrade may be performed.
This defect was first reported by Matt Weatherford from _______ _______ _______ _______ _______ _______ _______ _____
the University of Washington. Our thanks to Matt for
helping improve Likewise Open.
_______
Workaround:
Explicitly disabling the MACHINE\ Administrator (or any
other lsassd local-provider accounts not in use) will
prevent unauthorized access. This may be done by running
the following command as the local superuser. Replace
with the hostname of the local system
$ lw-mod-user --disable-user "\Administrator"
You may verify that the account is disabled by running the user-by- name command
lw-find-
$ lw-find- user-by- name --level 2 "MACHINE\ Administrator" _______ _______ _______ _______ _______ _______ _______ _____
...
Account disabled (or locked): TRUE
_______
Updated Packages:
New packages for both Likewise Open 5.4 and Likewise Open
6.0 have been made available from
http:// cts.vresp. com/c/? LikewiseSoftwar e/a4f78d058f/ 1b43a64120/ 5976b460b8.
http:// www.likewise. com/download
_______ _______ _______ _______ _______ _______ _______ _______ _____ cts.vresp. com/c/? LikewiseSoftwar e/a4f78d058f/ 1b43a64120/ ea59d7255f
Likewise Security Team <email address hidden>
http://
_______ _______ _______ _______ _______ _______ _______ _______ _____
_______ _______ _______ _______ _______ _______ _______ _______ _______ _______
This message was sent by Likewise Software using VerticalResponse
Likewise Software
15395 SE 30th Pl
Suite 140
Bellevue, Washington 98007
On 8/3/2010 11:44 AM, Tony Shadwick wrote: www.likewise. com/bits/ summer09/ 8040/LikewiseId entityServiceOp en-5.4. 0.8040- linux-x86_ 64
> Going to give this a shot:
>
> http://
> -deb-installer
>
> I'll report how it goes - this is the most recent build available after
> 7985. One would hope the problem did not spring back up in the later
> build...
>