Password Handling Flaw in Ubuntu's passwd Utility
CVE-2006-3597

Currently unrated

Key Information:

Vendor: Ubuntu
Status: Ubuntu Linux
Vendor: CVE Published:; 18 July 2006

What is CVE-2006-3597?

A vulnerability exists in the passwd utility prior to version 1:4.0.13 on Ubuntu 6.06 LTS that compromises the root password management. When the administrator opts to 'Go Back' post-installation, instead of securing the root account, the software inadvertently sets the root password to blank. This oversight leaves the system vulnerable as the password is zeroed out in the installer’s memory, allowing unauthorized access.

References

http://www.ubuntu.com/usn/usn-316-1

vendor-advisoryx_refsource_UBUNTU

http://www.osvdb.org/27091

vdb-entryx_refsource_OSVDB

http://secunia.com/advisories/21022

third-party-advisoryx_refsource_SECUNIA

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2006
Vulnerability Reserved
Jul 14, 2006