Opsware Network Automation System Discloses MySQL Password to Local Users
|
|
SecurityTracker Alert ID: 1016566
|
|
SecurityTracker URL: http://securitytracker.com/id?1016566
|
|
CVE Reference: CVE-2006-3878
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Jul 25 2006
|
Impact: Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): 6.0
|
Description: A vulnerability was reported in the Opsware Network Automation System. A local user can obtain the MySQL database password.
The system installs a startup script in '/etc/init.d/mysqll' that contains the 'root' password selected for the MySQL MAX database
during installation. The script has world-readable permissions. As a result, a local user can view the 'root' MySQL password.
Michael
Freeman reported this vulnerability.
|
Impact: A local user can obtain the MySQL database 'root' password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.opsware.com/products/networkautomation/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any)
|
Reported By: "Freeman, Michael" <mfreeman@multimax.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 24 Jul 2006 10:05:04 -0500
From: "Freeman, Michael" <mfreeman@multimax.com>
Subject: Opsware NAS 6.0 reveals MySQL 'root' password
|
The Opsware Network Automation System (NAS) version 6.0 installation
places an 'init' style startup script in /etc/init.d/mysqll and places
the 'root' password that you choose for the MySQL MAX database during
installation.
The permissions on this small shell script are world readable, allowing
any user of the system to compromise the 'root' MySQL account. This
could reveal network intelligence including stored/shared authentication
credentials for network devices.
|
|
