Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2009-3232 | First vendor Publication | 2009-09-17 |
Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3232 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
CAPEC-94 | Man in the Middle Attack |
CAPEC-114 | Authentication Abuse |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13240 | |||
Oval ID: | oval:org.mitre.oval:def:13240 | ||
Title: | USN-828-1 -- pam vulnerability | ||
Description: | Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-828-1 CVE-2009-3232 | Version: | 5 |
Platform(s): | Ubuntu 8.10 Ubuntu 9.04 | Product(s): | pam |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2009-09-15 | Name : Ubuntu USN-828-1 (pam) File : nvt/ubuntu_828_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
57908 | pam-auth-update on Ubuntu Linux Authentication Bypass If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-09-15 | Name : The remote system has an authentication bypass vulnerability. File : account_root_randpw.nasl - Type : ACT_GATHER_INFO |
2009-09-09 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-828-1.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2024-11-28 23:10:19 |
|
2024-11-28 12:19:49 |
|
2024-02-13 21:27:54 |
|
2021-05-04 12:10:11 |
|
2021-04-22 01:10:37 |
|
2020-05-23 00:24:19 |
|
2018-10-04 05:18:15 |
|
2016-04-26 19:07:08 |
|
2014-02-17 10:51:37 |
|
2013-05-10 23:57:26 |
|