Stay Ahead With Linux Security News

security advisorypassword exposurefirewall security

SmoothWall Security Advisory: Encrypted Password Hash Risk Details

Update: Project founder responds below . "SmoothWall does not use shadowed passwords in their firewall implementation. While this is not inherently dangerous as firewall systems are not designed as multi-user, an unauthorized user gaining access to the system via exploitation . . . . Update: Project founder responds below . "SmoothWall does not use shadowed passwords in their firewall implementation. While this is not inherently dangerous as firewall systems are not designed as multi-user, an unauthorized user gaining access to the system via exploitation of an unprivileged process may be able to gain administrative access by copying the password hash, and launching a brute force cracking program against it." It seems several smoothwall developers have developed an attitude towards accepting criticizm from other security professionals and don't feel this is an issue that deserves their attention. The issue escalated when the lead person responsible for the project called it "Trench Warfare." It seems he doesn't take criticism too well? Is the state of the project in jeopardy? Is there a battle going on between the people developing the project and attitude towards their users? Are there other security holes that aren't being fixed? Users interested in a system not succeptible to this security vulnerability might try Slackware. Users interested in a web-managable secure solution might try EnGarde. Update 13:49 EST - Richard Morell, smoothwall project founder, responded to LinuxSecurity.com with the following email. It certainly wasn't our intention to mislead. We report, you decide. There is also a page on their site now that provides their perspective. Subject: Factual reporting of the article you posted Date: Fri, 18 Jan 2002 17:13:49 +0000 From: Richard Morrell To: This email address is being protected from spambots. You need JavaScript enabled to view it. Dave, I really really really wish a site of the standing of Linux Security would check its sources. Its really appalling. You've made sweeping statements about ourproject that if you please fix then I'd be grateful. Juergen Schmidt is a noise, an unpleasant but effective noise, a radical without a cause - he loves stirring it - can't write effective journalism and hates being made to look what he is - half witted and unable to do basic research at shell level. Lawrence Manning the code leader behind SmoothWall responded to Juergen throughout but Juergen forgot to mention that we twice made him look a dork by finding flaws in his research, your article today made us look like we don't care when we do and we work long hours so please correct this once you've read Lawrences OWN response. Richard Morrell Project Manager, Founder AND FUNDER The link for this article located at SecurityFocus is no longer available. . TechSecure is dealing with issues regarding the compromise of hashed user passwords. The founder of the initiative has released a statement concerning the security breach.. SmoothWall Security, Password Hash Exposure, Firewall Risk. . LinuxSecurity.com Team

Jan 18, 2002 • LinuxSecurity.com Team Vendors/Products