Security Bulletin: While changing password of administrative user, the supplied password is exposed in shell command history on IBM Storwize V7000 Unified (CVE-2014-3045)

Summary

A fix is available for IBM Storwize V7000 Unified for the security issue where the password is exposed in the shell command history while changing the password of administrative user.

Vulnerability Details

CVEID:
CVE-2014-3045

DESCRIPTION:
One of the purposes of chuser command is to modify the password of an administrative user account in IBM Storwize V7000 Unified.

The chuser and svctask chuser commands require passwords to be entered on the command line, along with the -p argument. This leaves passwords visible in the shell command history. The shell command history in which password is visible is available only for the root user.

CVE-2014-3045
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93345 for the current score.

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running code releases 1.3.0.0 to 1.4.3.2

Remediation/Fixes

A fix for this issue is in version 1.4.3.3 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.4.3.3 or a later version to apply the fix.

Workarounds and Mitigations

Workaround(s) :
1. Modify HISTIGNORE environment variable for root user, so that chuser command will not be included in shell bash history. You could add this environment variable to .bashrc file in home directory of root user.

2. After changing password using chuser command, the admin user may get root user to clear the shell command history of root user, using history -c command.