Comment 52 for bug 534629

Revision history for this message
MattW (seattle) (mbw) wrote : Re: [Bug 534629] Re: AssumeDefaultDomain does not work

  Folks, versions prior to 8046 have a security flaw - Get something
newer, if you can find it .... see the advisory below:

Likewise Software has posted a security advisor on our Likewise Open
forum announcements
  This notice is to inform you of a critical update to specific
Likewise Open packages that we have made available on our product
download site. Below is a copy of the security advisory message.


Likewise Security Advisory LWSA-2010-001


Package : Likewise Open
Service : Likewise Security Authority (lsassd)
Date : 26-July-2010
Platform(s) : Linux, OS X, Solaris, HP-UX, AIX, FreeBSD
Versions : Likewise Open 5.4 (prior to build 8046)
       Likewise-CIFS 5.4 (prior to build 8046)
       Likewise Open 6.0 (prior to build 8234)
CVE(s) : CVE-2010-0833


   A logic flaw has been found in the pam_lsass library that,
   when run under the context of a root service (e.g. sshd,
   gdm, etc.), will allow any user to logon as a lsassd
   local-provider account (e.g. MACHINE\Administrator) if
   the account's password is marked as expired. The cause
   is that the pam_lsass library uses SetPassword logic when
   detecting that the uid is 0 therefore not requiring
   that the intruder validate against the expired password
   before being allowed to specify a new password.

   All Likewise Open users are encouraged to upgrade to
   the latest released packages for their version or to
   to employ the stated workaround until such a time when
   an upgrade may be performed.

   This defect was first reported by Matt Weatherford from
   the University of Washington. Our thanks to Matt for
   helping improve Likewise Open.


   Explicitly disabling the MACHINE\Administrator (or any
   other lsassd local-provider accounts not in use) will
   prevent unauthorized access. This may be done by running
   the following command as the local superuser. Replace
    with the hostname of the local system

     $ lw-mod-user --disable-user "\Administrator"

   You may verify that the account is disabled by running the
   lw-find-user-by-name command

     $ lw-find-user-by-name --level 2 "MACHINE\Administrator"
     Account disabled (or locked): TRUE

Updated Packages:

   New packages for both Likewise Open 5.4 and Likewise Open
   6.0 have been made available from

Likewise Security Team <email address hidden>


This message was sent by Likewise Software using VerticalResponse

Likewise Software
15395 SE 30th Pl
Suite 140
Bellevue, Washington 98007

On 8/3/2010 11:44 AM, Tony Shadwick wrote:
> Going to give this a shot:
> -deb-installer
> I'll report how it goes - this is the most recent build available after
> 7985. One would hope the problem did not spring back up in the later
> build...