CVE-2024-22365 — Improper Control of a Resource Through its Lifetime in Linux-pam

CWE-664 — Improper Control of a Resource Through its Lifetime CWE-277 — Insecure Inherited Permissions8 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 64.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PAM Linux-pam Debian PAM +8 more

Timeline

PublishedFeb 6

Latest updateMar 26

Description

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages11 packages

▶NVDlinux-pam/linux-pam< 1.6.0

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

▶msrcmsrc/azl3_pam_1.5.3-2_on_azure_linux_3.0

▶msrcmsrc/azl3_pam_1.5.3-4_on_azure_linux_3.0

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-pcmw-6hxc-hqmx: linux-pam (aka Linux PAM) before 1↗2024-02-06

▶

OSV

CVE-2024-22365: linux-pam (aka Linux PAM) before 1↗2024-02-06

▶

📋Vendor Advisories

Ubuntu

PAM vulnerability↗2024-03-26

▶

Microsoft

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.↗2024-02-13

▶

Red Hat

pam: allowing unprivileged user to block another user namespace↗2024-01-18

▶

Ubuntu

PAM vulnerability↗2024-01-17

▶

Debian

CVE-2024-22365: pam - linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of ser...↗2024

▶