IBM Support

Security Bulletin: While changing password of administrative user, the supplied password is exposed in shell command history on IBM Storwize V7000 Unified (CVE-2014-3045)

Created by Sachin C Punadikar on
Published URL:
https://www.ibm.com/support/pages/node/689867
689867

Security Bulletin


Summary

A fix is available for IBM Storwize V7000 Unified for the security issue where the password is exposed in the shell command history while changing the password of administrative user.

Vulnerability Details

CVEID:
CVE-2014-3045

DESCRIPTION:
One of the purposes of chuser command is to modify the password of an administrative user account in IBM Storwize V7000 Unified.

The chuser and svctask chuser commands require passwords to be entered on the command line, along with the -p argument. This leaves passwords visible in the shell command history. The shell command history in which password is visible is available only for the root user.

CVE-2014-3045
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93345 for the current score.

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running code releases 1.3.0.0 to 1.4.3.2

Remediation/Fixes

A fix for this issue is in version 1.4.3.3 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.4.3.3 or a later version to apply the fix.

Workarounds and Mitigations

Workaround(s) :
1. Modify HISTIGNORE environment variable for root user, so that chuser command will not be included in shell bash history. You could add this environment variable to .bashrc file in home directory of root user.

2. After changing password using chuser command, the admin user may get root user to clear the shell command history of root user, using history -c command.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Thanks to Google, for identifying and reporting this issue to IBM.

Change History

16 July 2014: First draft

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT 1727

[{"Product":{"code":"ST5Q4U","label":"IBM Storwize V7000 Unified (2073-700)"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"1.4","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.3;1.4","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

ssg1S1004810

Page Feedback