Likewise Open and Enterprise contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the lsassd service not properly sanitizing unspecified user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Upgrade to version 6.0.0-8388 or 6.1.0-8667 or higher for LikewiseOpen and version 6.0.0-268 or higher for LikewiseEnterprise, as they have been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Disable the local provider in the
“LoadOrder” value stored under the following subkey in the Likewise registry.

[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers]
“LoadOrder"=sza:"ActiveDirectory"

Unknown or Incomplete

• CVE ID: 2011-2467 (see also: NVD)
• Secunia Advisory ID: 45276 45326 45327
• Bugtraq ID: 48816
• ISS X-Force ID: 68765
• Vendor Specific News/Changelog Entry: http://www.likewise.com/community/index.php/forums/viewannounce/1212_6/
  https://bugs.launchpad.net/ubuntu/+source/likewise-open/+bug/802748
  https://launchpadlibrarian.net/74204969/LWSA-2011-002.txt
• Vendor Specific Advisory URL: http://www.ubuntu.com/usn/usn-1171-1/

• Not Available