[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2011-008: OpenPAM privilege escalation
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2011-008
Topic: OpenPAM privilege escalation
Version: NetBSD-current: affected prior to 20111109
NetBSD 5.1: affected prior to 20111119
NetBSD 5.0: affected prior to 20111119
NetBSD 4.0.*: affected prior to 20111119
NetBSD 4.0: affected prior to 20111119
pkgsrc: security/openpam package prior to
Severity: Privilege escalation
Fixed: NetBSD-current: Nov 9th, 2011
NetBSD-5-1 branch: Nov 19th, 2011
NetBSD-5-0 branch: Nov 19th, 2011
NetBSD-5 branch: Nov 19th, 2011
NetBSD-4-0 branch: Nov 19th, 2011
NetBSD-4 branch: Nov 19th, 2011
pkgsrc security/openpam: openpam-20071221nb1
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
The pam_start() function of OpenPAM doesn't check the "service"
argument. With a relative path it can be tricked into reading
a config file from an arbitrary location.
NetBSD base utilities pass fixed constant strings. 3rd party
programs which run with elevated privileges and allow user chosen
strings open an attack vector.
This vulnerability has been assigned CVE-2011-4122.
Known 3rd party programs which allow user chosen PAM service names are:
- -"kcheckpass" from KDE3/4 (installed as SUID per default)
- -the "pam_auth" helper of "squid" (not SUID per default, but might
be by administator's choice)
- -"saslauthd" from cyrus-sasl, if built with PAM support, is suspected
to accept a PAM service name through its communication socket
(not verified in detail; pkgsrc/security/cyrus-saslauthd does not
Also see the initial post about the problem:
An exploit which uses KDE's "kcheckpass" is here:
Solutions and Workarounds
Update NetBSD's libpam to one of the versions listed above, or install
a version of the 3rd party software with a fix for the issue.
Fixed versions in pkgsrc are:
Thanks to "Icke" for reporting the issue.
2011-12-15 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-008.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |