Executive Summary

Summary
Title PAM vulnerability
Informations
Name USN-828-1 First vendor Publication 2009-09-08
Vendor Ubuntu Last vendor Modification 2009-09-08
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 8.10 Ubuntu 9.04

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 8.10:
libpam-runtime 1.0.1-4ubuntu5.6

Ubuntu 9.04:
libpam-runtime 1.0.1-9ubuntu1.1

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations.

Original Source

Url : http://www.ubuntu.com/usn/USN-828-1

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-22 Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-57 Utilizing REST's Trust in the System Resource to Register Man in the Middle
CAPEC-94 Man in the Middle Attack
CAPEC-114 Authentication Abuse

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13240
 
Oval ID: oval:org.mitre.oval:def:13240
Title: USN-828-1 -- pam vulnerability
Description: Russell Senior discovered that the system authentication module selection mechanism for PAM did not safely handle an empty selection. If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges. This did not affect default Ubuntu installations.
Family: unix Class: patch
Reference(s): USN-828-1
CVE-2009-3232
 Version: 5
Platform(s): Ubuntu 8.10
Ubuntu 9.04
 Product(s): pam
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 2

OpenVAS Exploits

Date Description
2009-09-15 Name : Ubuntu USN-828-1 (pam)
File : nvt/ubuntu_828_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
57908 pam-auth-update on Ubuntu Linux Authentication Bypass

If an administrator had specifically removed the default list of modules or failed to chose a module when operating debconf in a very unlikely non-default configuration, PAM would allow any authentication attempt, which could lead to remote attackers gaining access to a system with arbitrary privileges.

Nessus® Vulnerability Scanner

Date Description
2009-09-15 Name : The remote system has an authentication bypass vulnerability.
File : account_root_randpw.nasl - Type : ACT_GATHER_INFO
2009-09-09 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-828-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:06:14
  • Multiple Updates