CVE-2022-28321 — Improper Authentication in Linux-pam

CWE-287 — Improper Authentication CWE-863 — Incorrect Authorization7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 70.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux-pam PAM Debian PAM

Timeline

PublishedSep 19

Latest updateFeb 6

Description

The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDlinux-pam/linux-pam< 1.5.2-6.1

▶Ubuntupam/pam< 1.1.8-3.6ubuntu2.18.04.4+4

▶debiandebian/pam

Patches

Patch: download.opensuse.org ↗Patch: bugzilla.suse.com ↗Patch: download.opensuse.org ↗

🔴Vulnerability Details

GHSA

GHSA-p9vf-jjj8-m5r9: The Linux-PAM package before 1↗2022-09-20

▶

OSV

CVE-2022-28321: The Linux-PAM package before 1↗2022-09-19

▶

📋Vendor Advisories

Ubuntu

PAM regressions↗2023-02-06

▶

Ubuntu

PAM vulnerability↗2023-01-25

▶

Red Hat

pam: authentication bypass for SSH logins↗2022-09-19

▶

Debian

CVE-2022-28321: pam - The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentica...↗2022

▶