CVE-2024-22365 – pam: allowing unprivileged user to block another user namespace
https://notcve.org/view.php?id=CVE-2024-22365
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY. linux-pam (también conocido como Linux PAM) anterior a 1.6.0 permite a los atacantes provocar una denegación de servicio (proceso de inicio de sesión bloqueado) a través de mkfifo porque la llamada openat (para protect_dir) carece de O_DIRECTORY. A vulnerability was found in Linux PAM. An unprivileged user that is not yet in a corresponding mount namespace with ~/tmp mounted as a polyinstantiated dir can place a FIFO there, and a subsequent attempt to login as this user with `pam_namespace` configured will cause the `openat()` in `protect_dir()` to block the attempt, causing a local denial of service. • http://www.openwall.com/lists/oss-security/2024/01/18/3 https://github.com/linux-pam/linux-pam https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb https://github.com/linux-pam/linux-pam/releases/tag/v1.6.0 https://access.redhat.com/security/cve/CVE-2024-22365 https://bugzilla.redhat.com/show_bug.cgi?id=2257722 • CWE-277: Insecure Inherited Permissions •
CVE-2022-28321
https://notcve.org/view.php?id=CVE-2022-28321
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream. El paquete Linux-PAM versiones anteriores a 1.5.2-6.1 para openSUSE Tumbleweed, permite omitir la autenticación en los inicios de sesión SSH. • http://download.opensuse.org/source/distribution/openSUSE-current/repo/oss/src https://bugzilla.suse.com/show_bug.cgi?id=1197654 https://www.suse.com/security/cve/CVE-2022-28321.html • CWE-287: Improper Authentication •
CVE-2015-3238 – pam: DoS/user enumeration due to blocking pipe in pam_unix module
https://notcve.org/view.php?id=CVE-2015-3238
The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. Vulnerabilidad en la función _unix_run_helper_binary en el módulo pam_unix en Linux-PAM (también conocido como pam) en versiones anteriores a 1.2.1, cuando no es posible acceder directamente a las contraseñas, permite a usuarios locales enumerar los nombres de usuario o causar una denegación de servicio (colgado) a través de una contraseña larga. It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system. • http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161350.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.html http://rhn.redhat.com/errata/RHSA-2015-1640.html http://www.openwall.com/lists/oss-security/2015/06/25/13 http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html http://www.securityfocus.com/bid/75428 http://www.ubuntu.com/usn/USN-2935-1 http://www.ubuntu.com/usn/USN-2935-2 http://www.ubuntu.co • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVE-2014-2583
https://notcve.org/view.php?id=CVE-2014-2583
Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create arbitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty function, which is used by the format_timestamp_name function. Múltiples vulnerabilidades de salto de directorio en pam_timestamp.c en el módulo pam_timestamp para Linux-PAM (también conocido como pam) 1.1.8 permite a atacantes remotos crear archivos arbitrarios o posiblemente eludir la autenticación a través de un .. (punto punto) en el valor(1) PAM_RUSER para la función get_ruser o en el valor (2) PAM_TTY para la función check_tty, que es utilizada por la función format_timestamp_name. • http://secunia.com/advisories/57317 http://www.openwall.com/lists/oss-security/2014/03/24/5 http://www.openwall.com/lists/oss-security/2014/03/26/10 http://www.openwall.com/lists/oss-security/2014/03/31/6 http://www.securityfocus.com/bid/66493 http://www.ubuntu.com/usn/USN-2935-1 http://www.ubuntu.com/usn/USN-2935-2 http://www.ubuntu.com/usn/USN-2935-3 https://git.fedorahosted.org/cgit/linux-pam.git/commit/?id=Linux-PAM-1_1_8-32-g9dce • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •