Vulnerability Note VU#527736
mkpasswd uses weak random number generator
Mkpasswd generates passwords that are insufficiently random.
Mkpasswd is a password generation utility included with Red Hat Linux and possibly other Linux distributions. Mkpasswd generates passwords that are not sufficiently random, which may allow an attacker to predict passwords and consequently gain unauthorized access to other accounts on the system. This vulnerability occurs because mkpasswd uses the current process ID as the seed for the random number generator. Because of this, the number of passwords is limited to the size of the process table on the operating system.
An attacker may be able to predict passwords and consequently gain unauthorized access to other accounts on the system.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Red Hat Inc.||Affected||-||02 Apr 2003|
|Apple Computer Inc.||Not Affected||-||03 Apr 2003|
|Foundry Networks Inc.||Not Affected||-||04 Apr 2003|
|Fujitsu||Not Affected||-||10 Apr 2003|
|Hewlett-Packard Company||Not Affected||-||03 Apr 2003|
|Hitachi||Not Affected||-||11 Apr 2003|
CVSS Metrics (Learn More)
This vulnerability was reported by Shez <email@example.com>.
This document was written by Ian A. Finlay.
- CVE IDs: Unknown
- Date Public: 11 Apr 2001
- Date First Published: 02 Apr 2003
- Date Last Updated: 11 Apr 2003
- Severity Metric: 7.03
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.