[manjaro-security] [MSA-201706-02] Calamares : access restriction bypass
Philip Müller
philm at manjaro.org
Wed Jun 21 09:25:03 CEST 2017
Manjaro Linux Security Advisory MSA-201706-02
=============================================
Severity: High
Date : 2017-06-21
CVE-ID : TBD
Package : calamares
Type : access restriction bypass
Remote : Possible
Link : TBD
Summary
=======
The package 'Calamares' before version 3.1.0.2-1 is vulnerable
due using weak password hashing as it creates users for your OS
installation.
Resolution
==========
Users are advised to run 'passwd' to reset their passwords on all
systems installed with 'Calamares' as installer. The password should be
reset for both regular users and for the root user.
Users who installed Manjaro with install medias beginning with v17.0.2
don't have to worry, since Calamares v3.1.0.2 or higher is used on
those ISOs.
Workaround
==========
see resolution
Description
===========
Systems installed by 'Calamares' apply poor password salting to the
passwords of users created during system installation (e.g. "root", and
the system user).
Impact
======
The same salt is used for user root across all distros using 'Calamares'
as installer. This eliminates the effectiveness of password salting and
allows a simpler approach to password-cracking. Users with the same
username (e.g. "bob") share a salt as well.
The effect of re-usiing a salt means that it is possible to pre-compute
the password hashes for a given username (e.g. "root") and to use such a
rainbow table to crack the password of any given machine. This makes
passwords shared across multiple systems installed with 'Calamares', and
passwords for user accounts shared across multiple systems installed
with 'Calamares' (e.g. "root") more vulnerable to attack.
References
==========
https://cwe.mitre.org/data/definitions/760.html
More information about the manjaro-security
mailing list