oss-sec mailing list archives
Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions
From: "Dmitry V. Levin" <ldv () altlinux org>
Date: Tue, 24 Nov 2020 21:43:38 +0300
Hi, On Tue, Nov 24, 2020 at 07:20:21PM +0100, Marcus Meissner wrote:
Hi, (via IRC, spotted by Foxboron) PAM 1.5.0 had a potential auth bypass, if a user did not exist and the root password was empty (but root locked down). The reporters usecase was spammers pretending to be unknown users with a PAM enabled dovecot. This issue affected only pam 1.5.0.
I'd like to note that the issue affects pam_unix module only, those who use other authentication modules instead of pam_unix are not effected. Nevertheless, Linux-PAM 1.5.1 is going to be released shortly to address this issue. Just for the record, the bug was introduced by commit https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bca and fixed by commit https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb -- ldv
Current thread:
- Heads up: PAM 1.5.0 has a auth bypass under some conditions Marcus Meissner (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions John Helmert III (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions Érico Nogueira (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions Dmitry V. Levin (Nov 24)
- Re: Heads up: PAM 1.5.0 has a auth bypass under some conditions John Helmert III (Nov 24)