search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Apple Workgroup Manager fails to properly enable ShadowHash passwords

Vulnerability Note VU#847468

Original Release Date: 2006-10-02 | Last Revised: 2006-11-21

Overview

Apple Workgroup Manager fails to properly enable ShadowHash passwords in a NetInfo parent. Workgroup Manager may appear to use ShadowHash passwords when crypt is used.

Description

Workgroup Manager is a system adimistration tool in Apple Mac OS X Server that manages users, groups, and computers across a network. According to Apple Security Update 2006-006:

Workgroup Manager appears to allow switching authentication type from crypt to ShadowHash passwords in a NetInfo parent, when in actuality it does not.
This issue can be easily detected by refreshing the view of an account in a NetInfo parent.

Impact

Workgroup Manager may appear to use ShadowHash passwords when crypt is used.

Solution

Upgrade
Apple has addressed this issue in Apple Security Update 2006-006.

Vendor Information

847468
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This issue was reported in Apple Security Update 2006-006. Apple credits Chris Pepper of The Rockefeller University for reporting this issue.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2006-4399
Date Public: 2006-09-29
Date First Published: 2006-10-02
Date Last Updated: 2006-11-21 19:20 UTC
Document Revision: 11

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis