CVE-2013-2069 – livecd-tools: improper handling of passwords

https://notcve.org/view.php?id=CVE-2013-2069

Red Hat livecd-tools before 13.4.4, 17.x before 17.17, 18.x before 18.16, and 19.x before 19.3, when a rootpw directive is not set in a Kickstart file, sets the root user password to empty, which allows local users to gain privileges. Red Hat livecd-tools anterior a v13.4.4, v17.x anterior a v17.17, v18.x anterior a v18.16, y v19.x anterior a v19.3, cuando una directiva rootpw no se encuentra en un fichero Kickstart, asígna una contraseña vacía al usuario root permitiendo a usuarios locales obtener privilegios. It was discovered that when used to create images, livecd-tools gave the root user an empty password rather than leaving the password locked in situations where no 'rootpw' directive was used or when the 'rootpw --lock' directive was used within the Kickstart file, which could allow local users to gain access to the root account. • http://rhn.redhat.com/errata/RHSA-2013-0849.html http://www.openwall.com/lists/oss-security/2013/05/23/2 http://www.securityfocus.com/bid/60119 https://aws.amazon.com/security/security-bulletins/red-hat-and-other-third-party-public-amis-security-concern https://bugzilla.redhat.com/show_bug.cgi?id=964299 https://exchange.xforce.ibmcloud.com/vulnerabilities/84488 https://access.redhat.com/security/cve/CVE-2013-2069 • CWE-264: Permissions, Privileges, and Access Controls CWE-798: Use of Hard-coded Credentials •