Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1200 Security Bulletin: IBM SONAS Administrator password can be read by the root user from the shell command history (CVE-2014-3045) 21 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SONAS Publisher: IBM Operating System: Linux variants Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-3045 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004815 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM SONAS Administrator password can be read by the root user from the shell command history (CVE-2014-3045) Security Bulletin Document information More support for: Scale Out Network Attached Storage 1.4.3.3 Version: 1.4.3.3 Operating system(s): Linux Reference #: S1004815 Modified date: 2014-07-17 Summary A fix is available for IBM SONAS, for the security issue that after changing password of administrative user, the password can be read by the root user from the shell command history. Vulnerability Details CVEID: CVE-2014-3045 DESCRIPTION: One of the purposes of chuser command is to modify the password of an administrative user account in IBM SONAS. When used with the -p argument, the chuser command records the administrator password in the shell command history. The shell command history can subsequently be read by the root user. CVE-2014-3045 CVSS Base Score: 2.1 Affected Products and Versions IBM SONAS The product is affected when running a code releases 1.3.0.0 to 1.4.3.2 Remediation/Fixes A fix for these issues is in version 1.4.3.3 of IBM SONAS. Workarounds and Mitigations Workaround(s) : 1. Modify HISTIGNORE environment variable for root user, so that chuser command will not be included in shell bash history. You could add this environment variable to .bashrc file in home directory of root user. 2. After changing password using chuser command, the admin user may get root user to clear the shell command history of root user, using history - -c command. Mitigation(s) : A fix for these issues is in version 1.4.3.3 of IBM SONAS. Customers running an affected version of IBM SONAS should upgrade to 1.4.3.3 or a later version, so that the fix gets applied. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement Thanks to Google, for identifying and reporting this issue to IBM. *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8ycvhLndAQH1ShLAQKUrw//RnqHbL4PLpvZlj3hV1cqjmjKYIB5Ft0O M05b2RPI/1bs7FWW9tzZaQ907aui+tk5i7hQiP3kkpt7gIkVnSXobhhsrQ8zY26l XktMDOarLgsFDC6IOQxCNRpsdp3USZz9jITdhBXGkrUEMD/9Ed06voBKDe5TaQ23 whL1BMefdd3XjaGaPt47DP5BVDErd9Os+LSLaDFL+TGPMX1qpLZiBrjqgCwFvfTj fxer+xyDHM4wUA7MFMdf2joVrApd2PAeDnupaEK8a4nSZZ8A9cSUXciliqSPVuyr 9VnyijFnpEdUkzy+U9MCGEjdvQnxmyzW0LjpA+xzDaEB1LmEC/sMGtcwNuBC8Yq1 ThoQW3lr8huvQVnyvp4TFFC+1nbccETu9AheHinN18h8Z/0DpKt6O1ee7pBbdYPu Sx9hRG2/3uhmtbKxfNkLd5H7bKoChHPLieUJ/UId6LMF8uIwX6oUZDsQ7nV02GX0 WBh5njsHjrfmUkwBS8sf+ofA2u76eKUHEpi/Efektjr/9Nzydflahx9XWC0r7qjh tpy4lL2bY3XAjJAmYCNE802AgbXIwFPPWD+WPSTm5o79TuaOUcaXiu1bmE6J1uaY dJcqKXUeLjcjp+i8uVt490tIVwtz576x8Q37rNq7x271sOeKtDdoFMAIXANF8O8C gA3HJEjpGtQ= =l01y -----END PGP SIGNATURE-----