![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter
From: "Gollub, Daniel" <daniel.gollub () intl att com>
Date: Mon, 8 Jun 2020 08:59:02 +0000
References: CVE-2020-13881, pam_tacplus#149 TACACS+ shared secret gets logged (syslog) by the PAM tacplus [1], if the PAM module is configured with the debug parameter. The secrets get logged at DEBUG loglevel. pam_tacplus 1.5.3 avoids the logging of the secret, via upstream commit 4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 [2]. The original README of pam_tacplus held a configuration example with the debug parameter set, which might have resulted in some setups, which are running in debug-mode, based on the example configuration. This issue got reported by Adarsh Pandey from Arista Networks [3]. [1] https://github.com/kravietz/pam_tacplus/ [2] https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 [3] https://github.com/kravietz/pam_tacplus/issues/149 Thanks Daniel
Current thread:
- CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter Gollub, Daniel (Jun 08)