SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Opsware Network Automation System Vendors:   Opsware
Opsware Network Automation System Discloses MySQL Password to Local Users
SecurityTracker Alert ID:  1016566
SecurityTracker URL:  http://securitytracker.com/id/1016566
CVE Reference:   CVE-2006-3878   (Links to External Site)
Updated:  Jun 13 2008
Original Entry Date:  Jul 25 2006
Impact:   Disclosure of authentication information
Exploit Included:  Yes  
Version(s): 6.0
Description:   A vulnerability was reported in the Opsware Network Automation System. A local user can obtain the MySQL database password.

The system installs a startup script in '/etc/init.d/mysqll' that contains the 'root' password selected for the MySQL MAX database during installation. The script has world-readable permissions. As a result, a local user can view the 'root' MySQL password.

Michael Freeman reported this vulnerability.

Impact:   A local user can obtain the MySQL database 'root' password.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opsware.com/products/networkautomation/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Opsware NAS 6.0 reveals MySQL 'root' password

The Opsware Network Automation System (NAS) version 6.0 installation
places an 'init' style startup script in /etc/init.d/mysqll and places
the 'root' password that you choose for the MySQL MAX database during
installation. 

The permissions on this small shell script are world readable, allowing
any user of the system to compromise the 'root' MySQL account. This
could reveal network intelligence including stored/shared authentication
credentials for network devices.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC