"value":"The Razor configuration management tool uses weak encryption for its password file, which allows local users to gain privileges."
}
],
"vendorComments":[
{
"organization":"Razor",
"comment":"Subsequent releases of Razor address this issue and utilize a more robust encryption mechanism for the Razor password. If you are under maintenance, you have the option of upgrading to a more recent release of Razor at no cost. If you are not under maintenance and want to upgrade then you will need to contact Jennifer Stone at jstone@visible.com.\n\nSome additional notes ...\n\n- With version 4.1 and above, administrators of Razor may switch and use the local OS authentication instead of Razor\u2019s authentication method.\n\n- OS permissions and protections always apply to the artifacts stored in the database.\n\n- This notice applies to users that have already logged into the supporting system. This primary means of defense is intact inspite of this particular vulnerability.\n\n- The next Razor release (due out in mid-2007) will allow remote UNIX clients to utilize SSH to authenticate the remote user. More information on this release and others may be found on the Visible Systems web site:\n\nhttp://www.visible.com/Products/Razor\n\nPlease contact Visible Systems Corporation at 1-800-6-VISIBLE if you have additional questions.",
