Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2009-3232 | First vendor Publication | 2009-09-17 |
| Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232 |
CAPEC : Common Attack Pattern Enumeration & Classification
| Id | Name |
|---|---|
| CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
| CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
| CAPEC-94 | Man in the Middle Attack |
| CAPEC-114 | Authentication Abuse |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-287 | Improper Authentication |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13240 | |||
| Oval ID: | oval:org.mitre.oval:def:13240 | ||
| Title: | USN-828-1 -- pam vulnerability | ||
| Description: | Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations. | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-828-1 CVE-2009-3232 | Version: | 5 |
| Platform(s): | Ubuntu 8.10 Ubuntu 9.04 | Product(s): | pam |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Os | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-09-15 | Name : Ubuntu USN-828-1 (pam) File : nvt/ubuntu_828_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 57908 | pam-auth-update on Ubuntu Linux Authentication Bypass If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-09-15 | Name : The remote system has an authentication bypass vulnerability. File : account_root_randpw.nasl - Type : ACT_GATHER_INFO |
| 2009-09-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-828-1.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-11-28 23:10:19 |
|
| 2024-11-28 12:19:49 |
|
| 2024-02-13 21:27:54 |
|
| 2021-05-04 12:10:11 |
|
| 2021-04-22 01:10:37 |
|
| 2020-05-23 00:24:19 |
|
| 2018-10-04 05:18:15 |
|
| 2016-04-26 19:07:08 |
|
| 2014-02-17 10:51:37 |
|
| 2013-05-10 23:57:26 |
|
