Title: Visible Systems Razor Password File Vulnerability
Severity: MODERATE
Description:
The Razor Configuration Management program stores passwords in a file called 'rz_passwd' in the Razor_License directory on the license server. The passwords are encrypted with a weak algorithm and can be revealed trivially. This file is world-readable by default. If an administrator changes the permissions (e.g. to read-only by a certain group), the permissions will be reset back to world-readable the next time the affected application performs any operation on that file.
A local attacker can therefore obtain the Razor passwords, and either seize control of the software and relevant databases or use those passwords to access other users' accounts on the network.
Affected Products:
- Visible Systems Razor 4.1.0
References:
- Visible Systems Corporation: Razor Home Page
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
