Vulnerabilities > CVE-2006-1058 - Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 5 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20070501_BUSYBOX_ON_SL4_X.NASL description BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. (CVE-2006-1058) last seen 2020-06-01 modified 2020-06-02 plugin id 60162 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60162 title Scientific Linux Security Update : busybox on SL4.x i386/x86_64 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0244.NASL description Updated busybox packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Busybox is a single binary which includes versions of a large number of system commands, including a shell. This package can be useful for recovering from certain types of system failures. BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. (CVE-2006-1058) All users of busybox are advised to upgrade to these updated packages, which contain a patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 25140 published 2007-05-02 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25140 title RHEL 4 : busybox (RHSA-2007:0244) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0244.NASL description Updated busybox packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Busybox is a single binary which includes versions of a large number of system commands, including a shell. This package can be useful for recovering from certain types of system failures. BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. (CVE-2006-1058) All users of busybox are advised to upgrade to these updated packages, which contain a patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67044 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67044 title CentOS 4 : busybox (CESA-2007:0244) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0244.NASL description From Red Hat Security Advisory 2007:0244 : Updated busybox packages that fix a security issue are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. Busybox is a single binary which includes versions of a large number of system commands, including a shell. This package can be useful for recovering from certain types of system failures. BusyBox did not use a salt when generating passwords. This made it easier for local users to guess passwords from a stolen password file. (CVE-2006-1058) All users of busybox are advised to upgrade to these updated packages, which contain a patch to resolve this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 67478 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67478 title Oracle Linux 4 : busybox (ELSA-2007-0244)
Oval
| accepted | 2013-04-29T04:19:41.563-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9483 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2006-09-19 |
| organization | Red Hat |
| statement | Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187385 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue does not affect Red Hat Enterprise Linux 2.1 or 3. |
References
- http://bugs.busybox.net/view.php?id=604
- http://www.securityfocus.com/bid/17330
- http://secunia.com/advisories/19477
- http://www.redhat.com/support/errata/RHSA-2007-0244.html
- http://secunia.com/advisories/25098
- http://support.avaya.com/elmodocs2/security/ASA-2007-250.htm
- http://secunia.com/advisories/25848
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25569
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9483