Security Vulnerability: admin password clear text in SYS:/ETC/NMAS/NMASINST.LOG

  • 3260550
  • 07-Jun-2007
  • 26-Apr-2012

Environment


Novell Modular Authentication Service (NMAS) version 3.1.2 and prior on NetWare

Situation

Running NMASINST on NetWare dumps the command line to SYS:/ETC/NMAS/NMASINST.LOG. If the admin account and password are supplied on the command line, then the admin and password will be visible in the NMASINST.LOG.

Resolution

This problem can be resolve in two ways:

1. Apply NMAS version 3.1.3 available in Security Services 2.0.4 no longer dumps the command line to the NMASINST.LOG.
2. NMASINST can be run without the pwd option so that the password is not included on the command line. The admin will be prompted for the password.