[manjaro-security] [MSA-201706-02] Calamares : access restriction bypass

Philip Müller philm at manjaro.org
Wed Jun 21 09:25:03 CEST 2017

Manjaro Linux Security Advisory MSA-201706-02

Severity: High
Date    : 2017-06-21
Package : calamares
Type    : access restriction bypass
Remote  : Possible
Link    : TBD


The package 'Calamares' before version is vulnerable
due using weak password hashing as it creates users for your OS


Users are advised to run 'passwd' to reset their passwords on all
systems installed with 'Calamares' as installer. The password should be
reset for both regular users and for the root user.

Users who installed Manjaro with install medias beginning with v17.0.2
don't have to worry, since Calamares v3.1.0.2 or higher is used on
those ISOs.


see resolution


Systems installed by 'Calamares' apply poor password salting to the
passwords of users created during system installation (e.g. "root", and
the system user).


The same salt is used for user root across all distros using 'Calamares'
as installer. This eliminates the effectiveness of password salting and
allows a simpler approach to password-cracking. Users with the same
username (e.g. "bob") share a salt as well.

The effect of re-usiing a salt means that it is possible to pre-compute
the password hashes for a given username (e.g. "root") and to use such a
rainbow table to crack the password of any given machine. This makes
passwords shared across multiple systems installed with 'Calamares', and
passwords for user accounts shared across multiple systems installed
with 'Calamares' (e.g. "root") more vulnerable to attack.



More information about the manjaro-security mailing list