Vulnerability Details : CVE-2009-3232
pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.
Vulnerability category: BypassGain privilege
Products affected by CVE-2009-3232
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3232
0.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3232
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2009-3232
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3232
-
https://launchpad.net/bugs/410171
Bug #410171 “pam-auth-update does not prohibit selecting an empt...” : Bugs : pam package : UbuntuIssue Tracking;Patch
-
http://www.openwall.com/lists/oss-security/2009/09/08/7
oss-security - CVE request - Debian/Ubuntu PAM auth module selectionMailing List
-
http://secunia.com/advisories/36620
About Secunia Research | FlexeraBroken Link;Vendor Advisory
-
https://usn.ubuntu.com/828-1/
Broken Link
-
http://www.securityfocus.com/bid/36306
Broken Link;Patch;Third Party Advisory;VDB Entry
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927
#519927 - pam-auth-update does not prohibit selecting an empty set of modules - Debian Bug report logsIssue Tracking;Mailing List
Jump to