ID CVE-2016-1601
Summary yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.
References
Vulnerable Configurations
  • SuSE YaST2
    cpe:2.3:o:suse:yast2
  • cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1
    cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1
  • cpe:2.3:o:suse:linux_enterprise_server:12:sp1
    cpe:2.3:o:suse:linux_enterprise_server:12:sp1
  • cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1
    cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1
CVSS
Base: 10.0 (as of 06-05-2016 - 13:04)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1138-1.NASL
    description yast2-users was updated to fix one security issue. This security issue was fixed : - CVE-2016-1601: Empty passwords fields in /etc/shadow after SLES 12 SP1 autoyast installation (bsc#974220). This update includes a script that fixes installations that we're affected by this problem. It is run automatically upon installing the update. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90754
    published 2016-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90754
    title SUSE SLED12 / SLES12 Security Update : yast2-users (SUSE-SU-2016:1138-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-555.NASL
    description yast2-users was updated to fix one security issue. This security issue was fixed : - CVE-2016-1601: Empty passwords fields in /etc/shadow after SLES 12 SP1 autoyast installation (bsc#974220). This update includes a script that fixes installations that we're affected by this problem. It is run automatically upon installing the update. This non-security issue was fixed : - bsc#971804: Set root password correctly when using a minimal profile This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 90907
    published 2016-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90907
    title openSUSE Security Update : yast2-users (openSUSE-2016-555)
refmap via4
confirm
suse
  • SUSE-SU-2016:1138
  • openSUSE-SU-2016:1226
Last major update 30-11-2016 - 22:05
Published 26-04-2016 - 10:59
Back to Top