-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ESA-2014-094: EMC Avamar Weak Password Storage Vulnerability EMC Identifier: ESA-2014-094 CVE Identifier: CVE-2014-4623 Severity Rating: 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Affected products: EMC Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE) running Avamar 6.0.x, 6.1.x, and 7.0.x running with optional Password hardening package earlier than version 2.0.0.4 Summary: EMC ADS/AVE Password hardening package stores passwords using a weak cryptographic scheme that may be susceptible to password cracking attacks. Details: EMC ADS/AVE Password hardening package uses the DES-based traditional Unix crypt scheme that may be susceptible to brute force and dictionary attacks if the hashes are obtained by an adversary. The hardening package is an optional package and installed separately. Resolution: Customers using affected versions of Avamar ADS/AVE with the Password hardening package in use can refer to https://support.emc.com/kb/125553 for access and installation instructions for the updated Password hardening package version 2.0.0.4 which resolves the issue. Alternatively, the issue can be mitigated by manually editing /etc/pam.d/common-password-pc and adding sha512 to the pam_unix.so line. Note: All operating system passwords should be changed using the Avamar "change-passwords" utility once the fix has been applied. Customers using affected versions may also upgrade their ADS or AVE servers to version 7.1 which includes the latest password hardening package. Credits: EMC would like to thank Thorsten Tüllmann (researcher at KIT, Germany) and KIT-CERT for reporting this issue. Link to remedies: To upgrade to ADS or AVE version 7.1 or for any questions regarding this advisory please contact EMC customer support at https://support.emc.com. EMC Product Security Response Center [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlRHvpAACgkQtjd2rKp+ALygSACg2Bcc40PhcTjWPmFe/0dUKjcz k5cAn2IWS1bAkzvEPdlflgw5XCChSbRH =tRpN -----END PGP SIGNATURE-----
