Fully Automated Installation Administrator Hashed Password Information Disclosure Vulnerability

Bugtraq ID:	21579
Class:	Design Error
CVE:
Remote:	No
Local:	Yes
Published:	Dec 13 2006 12:00AM
Updated:	Dec 14 2006 04:38PM
Credit:	Justin R. Beckley is credited with the discovery of this vulnerability.
Vulnerable:	Thomas Lange Fully Automated Installation 3.1.2 Thomas Lange Fully Automated Installation 2.1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1
Not Vulnerable:

Fully Automated Installation Administrator Hashed Password Information Disclosure Vulnerability

Fully Automated Installation (FAI) is prone to a local information-disclosure vulnerability because the application fails to protect sensitive information from unprivileged users.

An attacker can exploit this issue to gain access to sensitive information that may lead to other attacks.
This issue affects versions 2.1.0 and 3.1.2; other versions may also be affected.

Fully Automated Installation Administrator Hashed Password Information Disclosure Vulnerability

An exploit is not required for this issue.

Fully Automated Installation Administrator Hashed Password Information Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].

Fully Automated Installation Administrator Hashed Password Information Disclosure Vulnerability

References:

• Debian Bug Report Log #402644 (Root password hash in fai.log) (Debian )
  
• Fully Automated Installation (FAI) Home Page (Thomas Lange)