CVE-2006-3597 - passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password blank instead of locking it when

CVE-2006-3597

Summary

passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password blank instead of locking it when the administrator selects the "Go Back" option after the final "Installation complete" message and uses the main menu, which causes the password to be zeroed out in the installer's memory.

References

http://secunia.com/advisories/21022
http://www.osvdb.org/27091
http://www.ubuntu.com/usn/usn-316-1

Vulnerable Configurations

cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*
cpe:2.3:o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*

CVSS

Base:	7.2 (as of 05-09-2008 - 21:07)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:L/Au:N/C:C/I:C/A:C

refmap via4

osvdb	27091
secunia	21022
ubuntu	USN-316-1

Last major update

05-09-2008 - 21:07

Published

18-07-2006 - 15:37

Last modified

05-09-2008 - 21:07