oss-sec mailing list archives

CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter

From: "Gollub, Daniel" <daniel.gollub () intl att com>
Date: Mon, 8 Jun 2020 08:59:02 +0000

References: CVE-2020-13881, pam_tacplus#149

TACACS+ shared secret gets logged (syslog) by the PAM tacplus [1], if the
PAM module is configured with the debug parameter. The secrets get logged
at DEBUG loglevel.

pam_tacplus 1.5.3 avoids the logging of the secret, via upstream commit
4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 [2].

The original README of pam_tacplus held a configuration example with the
debug parameter set, which might have resulted in some setups, which are
running in debug-mode, based on the example configuration.

This issue got reported  by Adarsh Pandey from Arista Networks [3].

[1] https://github.com/kravietz/pam_tacplus/
[2] https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0
[3] https://github.com/kravietz/pam_tacplus/issues/149


Thanks

Daniel

Current thread:

CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter Gollub, Daniel (Jun 08)