Vigil@nce - OpenPAM: bypassing policy
June 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the OpenPAM configuration is invalid, a local attacker can
bypass authentication restrictions.
– Impacted products: FreeBSD, Unix (platform)
– Severity: 2/4
– Creation date: 04/06/2014
DESCRIPTION OF THE VULNERABILITY
The OpenPAM library manages the authentication using PAM
(Pluggable Authentication Modules) modules.
However, if a module name is incorrectly spelled in the
configuration file, OpenPAM ignores this error, and does not warn
the administrator.
When the OpenPAM configuration is invalid, a local attacker can
therefore bypass authentication restrictions.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenPAM-bypassing-policy-14838