BusyBox passwd weak password generation

busybox-passwd-weak-security (25569) The risk level is classified as MediumMedium Risk

Description:

BusyBox creates MD5 password hashes without using a salt, resulting in insecure password generation. If a local attacker has access to the shadow file, the attacker could use a dictionary attack to obtain user passwords.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of BusyBox (1.1.3 or later), available from the BusyBox Web site. See References.

For Avaya (busybox):
Refer to ASA-2007-250 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BusyBox: BusyBox.
  • ASA-2007-250: busybox security update (RHSA-2007-0244)
  • BID-17330: BusyBox Insecure Password Hash Weakness
  • CVE-2006-1058: BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
  • RHSA-2007-0244: Low: busybox security update
  • SA19477: BusyBox MD5 Password Hash Generation Weakness
  • SA25848: Avaya Products BusyBox MD5 Password Weakness

Platforms Affected:

  • Avaya Application Enablement Services 4.0
  • Avaya Communication Manager 2.0
  • Avaya Communication Manager 2.0.1
  • Avaya Communication Manager 2.1
  • Avaya Communication Manager 2.1.1
  • Avaya Communication Manager 2.2
  • Avaya Communication Manager 2.2.1
  • Avaya Communication Manager 2.2.2
  • Avaya Communication Manager 3.0
  • Avaya Communication Manager 3.0.1
  • Avaya Communication Manager 3.1
  • Avaya Communication Manager 3.1.1
  • Avaya Communication Manager 3.1.2
  • Avaya Communication Manager 3.1.3
  • Avaya Communication Manager 3.1.4
  • Avaya Communication Manager 4.0
  • Avaya Communication Manager 4.0.1
  • Avaya Communication Manager 4.0.3
  • Avaya Converged Communications Server
  • Avaya Message Networking
  • Avaya Message Storage Server 3.0
  • Avaya SIP Enablement Services
  • Erik Andersen BusyBox 1.1.1
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4 Desktop

Reported:

Mar 31, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page