[manjaro-security] [MSA-201706-02] Calamares : access restriction bypass
philm at manjaro.org
Wed Jun 21 09:25:03 CEST 2017
Manjaro Linux Security Advisory MSA-201706-02
Date : 2017-06-21
CVE-ID : TBD
Package : calamares
Type : access restriction bypass
Remote : Possible
Link : TBD
The package 'Calamares' before version 184.108.40.206-1 is vulnerable
due using weak password hashing as it creates users for your OS
Users are advised to run 'passwd' to reset their passwords on all
systems installed with 'Calamares' as installer. The password should be
reset for both regular users and for the root user.
Users who installed Manjaro with install medias beginning with v17.0.2
don't have to worry, since Calamares v220.127.116.11 or higher is used on
Systems installed by 'Calamares' apply poor password salting to the
passwords of users created during system installation (e.g. "root", and
the system user).
The same salt is used for user root across all distros using 'Calamares'
as installer. This eliminates the effectiveness of password salting and
allows a simpler approach to password-cracking. Users with the same
username (e.g. "bob") share a salt as well.
The effect of re-usiing a salt means that it is possible to pre-compute
the password hashes for a given username (e.g. "root") and to use such a
rainbow table to crack the password of any given machine. This makes
passwords shared across multiple systems installed with 'Calamares', and
passwords for user accounts shared across multiple systems installed
with 'Calamares' (e.g. "root") more vulnerable to attack.
More information about the manjaro-security