How to Address the “User(s) With Blank Password” Vulnerability

Details of the Vulnerability

THREAT:

The user ((local service account) has blank password in the shadow file, which allows to connect to the system without entering a password.

IMPACT:

An attacker may connect to the system by knowing just the username.

SOLUTION:

Set a password for the user(local service account). ( Many companies security policy does not allow an password for the user)

If still the application users need to access without a password,  The password should rather be locked:“ ie Lock the passwordless local service account.”. Setting password for local service account is against many companies security policy.

This can be easily fixed. All you need is “passwd -l user(local service account)”, and it will change the user(local service account) in /etc/shadow

 

From blank password:

user(local service account)::16555:0:99999:7:::

To locked State:

user(local service account):!!:16555:0:99999:7:::

 

, ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current month ye@r day *

eXTReMe Tracker