ASA-202012-13 log original external raw
[ASA-202012-13] pam: authentication bypass |
---|
Arch Linux Security Advisory ASA-202012-13
==========================================
Severity: High
Date : 2020-12-09
CVE-ID : CVE-2020-27780
Package : pam
Type : authentication bypass
Remote : No
Link : https://security.archlinux.org/AVG-1297
Summary
=======
The package pam before version 1.5.0-2 is vulnerable to authentication
bypass.
Resolution
==========
Upgrade to 1.5.0-2.
# pacman -Syu "pam>=1.5.0-2"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
The issue can be mitigated by setting a non-empty password for the root
user.
Description
===========
An authentication bypass issue was found in pam 1.5.0. Nonexistent
users could authenticate if the root password was empty.
Impact
======
In some unusual configurations, a remote user might be able to bypass
authentication.
References
==========
https://github.com/linux-pam/linux-pam/blob/5b7ba35ebfd280c931933fedbf98cb7f4a8846f2/NEWS#L4-L5
https://github.com/linux-pam/linux-pam/pull/300
https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
https://security.archlinux.org/CVE-2020-27780
|