Home page logo

oss-sec logo oss-sec mailing list archives

CVE request: pam: password hashes aren't compared case-sensitively
From: Ratul Gupta <ratulg () redhat com>
Date: Mon, 09 Dec 2013 15:21:39 +0530


It was found that in pam_userdb module for Pam, password hashes weren't compared case-sensitively, which could lead to acceptance of hashes for completely different passwords, which shouldn't be accepted.

After hashing the user's password with crypt(), pam_userdb compares the result to the stored hash case-insensitively with strncasecmp(), which should be avoided, as it could result in an increased possibility of a successful brute-force attack.

Can a CVE be assigned for this?


Ratul Gupta / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]