Opsware NAS 6.0 reveals MySQL 'root' password

2006.07.27

Credit: Freeman, Michael (mfreeman multimax com)

Risk: Medium

Local: No

Remote: No

CVE: CVE-2006-3878

CWE: CWE-89

CVSS Base Score: 2.1/10

Impact Subscore: 2.9/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

The Opsware Network Automation System (NAS) version 6.0 installation
places an 'init' style startup script in /etc/init.d/mysqll and places
the 'root' password that you choose for the MySQL MAX database during
installation.
The permissions on this small shell script are world readable, allowing
any user of the system to compromise the 'root' MySQL account. This
could reveal network intelligence including stored/shared authentication
credentials for network devices.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Opsware NAS 6.0 reveals MySQL 'root' password

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.