GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Dec 09, 2020 8:26 pm Post subject: [ GLSA 202012-06 ] Linux-PAM |
 |
|
Gentoo Linux Security Advisory
Title: Linux-PAM: Authentication bypass (GLSA 202012-06)
Severity: normal
Exploitable: local, remote
Date: 2020-12-07
Bug(s): #756361
ID: 202012-06
Synopsis
A vulnerability has been found in Linux-PAM, allowing attackers to
bypass the authentication process.
Background
Linux-PAM (Pluggable Authentication Modules) is an architecture allowing
the separation of the development of privilege granting software from the
development of secure and appropriate authentication schemes.
Affected Packages
Package: sys-libs/pam
Vulnerable: < 1.5.1
Unaffected: >= 1.5.1
Architectures: All supported architectures
Description
A flaw was found in Linux-Pam in the way it handle empty passwords for
non-existing users.
Impact
A remote attacker, who only needs to know a non-existing username, could
bypass security restrictions and authenticate as root user.
Workaround
Ensure that root account is protected by a non-empty password.
Resolution
All Linux-PAM users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/pam-1.5.1"
|
References
CVE-2020-27780 |
|
News & Announcements
