Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: pam: password hashes aren't compared case-sensitively
From: Ratul Gupta <ratulg () redhat com>
Date: Mon, 09 Dec 2013 15:21:39 +0530

https://bugzilla.redhat.com/show_bug.cgi?id=1038555

It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.

After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased possibility of a successful brute-force attack.

Can a CVE be assigned for this?

--
Regards,

Ratul Gupta / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault