CVE-2009-2410

CWE-287 — Improper Authentication5 documents5 sources

Severity

7.5HIGH

EPSS

0.4%

top 36.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedorahosted Sssd

Timeline

PublishedJul 30

Latest updateMay 2

Description

The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c in sssd 0.4.1 does not properly handle blank-password accounts in the SSSD BE database, which allows context-dependent attackers to obtain access by sending the account's username, in conjunction with an arbitrary password, over an ssh connection.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDfedorahosted/sssd0.4.1

🔴Vulnerability Details

GHSA

GHSA-w98w-3mj2-7wj3: The local_handler_callback function in server/responder/pam/pam_LOCAL_domain↗2022-05-02

▶

CVEList

CVE-2009-2410: The local_handler_callback function in server/responder/pam/pam_LOCAL_domain↗2009-07-30

▶

📋Vendor Advisories

Debian

CVE-2009-2410: sssd - The local_handler_callback function in server/responder/pam/pam_LOCAL_domain.c i...↗2009

▶

💬Community

Bugzilla

CVE-2009-2410 If internal sssd user has no password set, the user can ssh to the sssd client with any supplied password↗2009-07-27

▶