CVE-2009-3232 — Improper Authentication in PAM

CWE-287 — Improper Authentication6 documents6 sources

Severity

9.3CRITICALNVD

EPSS

0.5%

top 32.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PAM Debian PAM Canonical Ubuntu Linux

Timeline

PublishedSep 17

Latest updateMay 2

Description

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶debiandebian/pam< pam 1.0.1-10 (bookworm)

▶Debianpam/pam< 1.0.1-10+3

Also affects: Ubuntu Linux 8.10, 9.04

Patches

Patch: www.securityfocus.com ↗Patch: launchpad.net ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-6jvj-39c6-mh4m: pam-auth-update for PAM, as used in Ubuntu 8↗2022-05-02

▶

OSV

CVE-2009-3232: pam-auth-update for PAM, as used in Ubuntu 8↗2009-09-17

▶

📋Vendor Advisories

Ubuntu

PAM vulnerability↗2009-09-08

▶

Debian

CVE-2009-3232: pam - pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, d...↗2009

▶

📐Framework References

CWE

Improper Authentication↗

▶