[ASA-202012-13] pam: authentication bypass
Morten Linderud
foxboron at archlinux.org
Thu Dec 17 19:21:53 UTC 2020
Arch Linux Security Advisory ASA-202012-13
==========================================
Severity: High
Date : 2020-12-09
CVE-ID : CVE-2020-27780
Package : pam
Type : authentication bypass
Remote : No
Link : https://security.archlinux.org/AVG-1297
Summary
=======
The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.
Resolution
==========
Upgrade to 1.5.0-2.
# pacman -Syu "pam>=1.5.0-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
The issue can be mitigated by setting a non-empty password for the root
user.
Description
===========
An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.
Impact
======
In some unusual configurations, a remote user might be able to bypass
authentication.
References
==========
https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5
https://github.com/linux-pam/linux-pam/pull/300
https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
https://security.archlinux.org/CVE-2020-27780
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20201217/1738205d/attachment.sig>
More information about the arch-security
mailing list