I like the two day notification window...
On Mar 14, 2012 6:36 PM, "larry Cashdollar" <[email protected]> wrote: > > Oracle Exadata Infiniband Switch default logins and world readable shadow file > > Hi Full-Disclosure List, > > I've noticed a minor issue with the 1/4 rack Oracle Exadata Solution. > > What is Exadata? > > > From Oracle.com "Oracle Exadata is the only database machine that provides extreme performance for both data warehousing and OLTP > applications, making it the ideal platform for consolidating on private clouds. It is a complete package of servers, storage, networking, > and software that is massively scalable, secure, and redundant. With Oracle Exadata customers can reduce IT costs through consolidation, > store up to ten times more data, improve performance of all applications, deliver a faster time-to-market by eliminating systems integration > trial and error, and make better business decisions in real time." > > http://www.oracle.com/us/products/database/exadata/overview/index.html > > The oracle engineered solution contains two leaf switches and in larger installations a spine switch. The installation I worked with didn't > have a spine switch, but the two leaf switches were configured with three logins with easily guessable passwords and a shadow file > that was world readable. > > There are three accounts with easily guessable default passwords on the > exadata inifiniband switches: > > ilom-admin, ilom-operator and nm2user. > > rux0r:~ meep0$ ssh [email protected] "cat /conf/shadow" > > The shadow file is world readable: > > [root@exad-1swib2 ~]# ls -l /conf/shadow > -rw-r--r-- 1 root root 749 Dec 23 2011 /conf/shado > > > Vendor: notified 3/12/2012 > > Fix: > > Rotate default passwords. I am checking on if you can lock down file permissions on /conf/shadow with out causing issues. > > -- Larry Cashdollar > http://vapid.dhs.org > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
