Overview
Nov 27, 2015 I was surprised to find the mkpasswd utility missing from my new installation of CentOS 6.4. Yum has a feature called whatprovides, which can be used to find out which installable package provides some feature, utility or file. The below demonstrates its use. You just need to prefix ‘./’ to the utility name that your searching for. Platform independant what of generating Linux compatible crypt(3) sha512 hashes ($6$ style). For systems (like macOS/OSX) where you can't `mkpasswd -m sha-512`. I made a tool for creating mkpasswd -m sha-512 (Linux/Ubuntu) style hashes on OS X (or any platform). First, we need to acquire a single requirement. Pip3 install passlib Now we create mkpasswdsha-512.py (or whatever you want to call it).
Mkpasswd generates passwords that are insufficiently random.
Description
Mkpasswd is a password generation utility included with Red Hat Linux and possibly other Linux distributions. Mkpasswd generates passwords that are not sufficiently random, which may allow an attacker to predict passwords and consequently gain unauthorized access to other accounts on the system. This vulnerability occurs because mkpasswd uses the current process ID as the seed for the random number generator. Because of this, the number of passwords is limited to the size of the process table on the operating system. |
Impact
An attacker may be able to predict passwords and consequently gain unauthorized access to other accounts on the system. |
Solution
Apply a patch from your vendor. |
Vendor Information
Red Hat Inc. Affected
Updated: April 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Red Hat has fixed this problem. For details, please see Bugzilla Bug 9507.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Updated: April 03, 2003
Status
Not Affected
Vendor Statement
mkpasswd is not shipped with Mac OS X.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Foundry Networks Inc. Not Affected
Updated: April 04, 2003
Status
Not Affected
Vendor Statement
Foundry Networks do not use the mkpasswd utility in any of its products. Foundry products are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Not Affected
Updated: April 10, 2003
Status
Not Affected
Vendor Statement
Fujitsu's UXP/V o.s. is not affected by the problem in VU#527736.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
Mkpasswd For Mac Os
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Not Affected
Updated: April 03, 2003
Status
Not Affected
Vendor Statement
SOURCE:
Hewlett-Packard Company
HP Services
Software Security Response Team
Update 01
x-ref: SSRT3532
Hewlett Packard has investigated this report and find that:
HP-UX - not vulnerable
HP-MPE/ix - not vulnerable
HP Tru64 UNIX - not vulnerable
HP OpenVMS - not vulnerable
HP NonStop Servers - not vulnerable
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Not Affected
Updated: April 11, 2003
Status
Not Affected
Vendor Statement
Hitachi's HI-UX/WE2 is NOT vulnerable, because it does not have mkpasswd.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
References
Mkpasswd For Macbook Pro
Acknowledgements
This vulnerability was reported by Shez
Mkpasswd For Mac And Cheese
This document was written by Ian A. Finlay.
Other Information
Mkpasswd For Mac Pro
| CVE IDs: | None |
| Severity Metric: | 7.03 |
| Date Public: | 2001-04-11 |
| Date First Published: | 2003-04-02 |
| Date Last Updated: | 2003-04-11 12:39 UTC |
| Document Revision: | 19 |