Executive Summary

Informations
Name CVE-2009-3232 First vendor Publication 2009-09-17
Vendor Cve Last vendor Modification 2024-02-13

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-22 Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-57 Utilizing REST's Trust in the System Resource to Register Man in the Middle
CAPEC-94 Man in the Middle Attack
CAPEC-114 Authentication Abuse

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13240
 
Oval ID: oval:org.mitre.oval:def:13240
Title: USN-828-1 -- pam vulnerability
Description: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations.
Family: unix Class: patch
Reference(s): USN-828-1
CVE-2009-3232
 Version: 5
Platform(s): Ubuntu 8.10
Ubuntu 9.04
 Product(s): pam
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 2

OpenVAS Exploits

Date Description
2009-09-15 Name : Ubuntu USN-828-1 (pam)
File : nvt/ubuntu_828_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
57908 pam-auth-update on Ubuntu Linux Authentication Bypass

If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges.

Nessus® Vulnerability Scanner

Date Description
2009-09-15 Name : The remote system has an authentication bypass vulnerability.
File : account_root_randpw.nasl - Type : ACT_GATHER_INFO
2009-09-09 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-828-1.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
BID http://www.securityfocus.com/bid/36306
CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
https://launchpad.net/bugs/410171
MLIST http://www.openwall.com/lists/oss-security/2009/09/08/7
SECUNIA http://secunia.com/advisories/36620
UBUNTU https://usn.ubuntu.com/828-1/

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2024-02-13 21:27:54
  • Multiple Updates
2021-05-04 12:10:11
  • Multiple Updates
2021-04-22 01:10:37
  • Multiple Updates
2020-05-23 00:24:19
  • Multiple Updates
2018-10-04 05:18:15
  • Multiple Updates
2016-04-26 19:07:08
  • Multiple Updates
2014-02-17 10:51:37
  • Multiple Updates
2013-05-10 23:57:26
  • Multiple Updates