Vulnerabilities > CVE-2005-2977 - Unspecified vulnerability in PAM
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does not log failed guesses or delay its responses.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-805.NASL description An updated pam package that fixes a security weakness is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM last seen 2020-06-01 modified 2020-06-02 plugin id 20107 published 2005-10-28 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20107 title RHEL 4 : pam (RHSA-2005:805) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:805. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(20107); script_version ("1.23"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-2977"); script_xref(name:"RHSA", value:"2005:805"); script_name(english:"RHEL 4 : pam (RHSA-2005:805)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An updated pam package that fixes a security weakness is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM's unix_chkpwd helper program validates user passwords when SELinux is enabled. Under normal circumstances, it is not possible for a local non-root user to verify the password of another local user with the unix_chkpwd command. A patch applied that adds SELinux functionality makes it possible for a local user to use brute-force password guessing techniques against other local user accounts. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to this issue. All users of pam should upgrade to this updated package, which contains backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2977" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:805" ); script_set_attribute( attribute:"solution", value:"Update the affected pam and / or pam-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pam-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/01"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:805"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"pam-0.77-66.13")) flag++; if (rpm_check(release:"RHEL4", reference:"pam-devel-0.77-66.13")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pam / pam-devel"); } }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200510-22.NASL description The remote host is affected by the vulnerability described in GLSA-200510-22 (SELinux PAM: Local password guessing attack) The SELinux patches for PAM introduce a vulnerability allowing a password to be checked with the unix_chkpwd utility without delay or logging. This vulnerability doesn last seen 2020-06-01 modified 2020-06-02 plugin id 20115 published 2005-11-02 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20115 title GLSA-200510-22 : SELinux PAM: Local password guessing attack code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200510-22. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20115); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-2977"); script_xref(name:"GLSA", value:"200510-22"); script_name(english:"GLSA-200510-22 : SELinux PAM: Local password guessing attack"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200510-22 (SELinux PAM: Local password guessing attack) The SELinux patches for PAM introduce a vulnerability allowing a password to be checked with the unix_chkpwd utility without delay or logging. This vulnerability doesn't affect users who do not run SELinux. Impact : A local attacker could exploit this vulnerability to brute-force passwords and escalate privileges on an SELinux system. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200510-22" ); script_set_attribute( attribute:"solution", value: "All SELinux PAM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=sys-libs/pam-0.78-r3'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:pam"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/11/02"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"sys-libs/pam", unaffected:make_list("ge 0.78-r3"), vulnerable:make_list("lt 0.78-r3"))) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:qpkg_report_get()); else security_note(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "SELinux PAM"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-805.NASL description An updated pam package that fixes a security weakness is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM last seen 2020-06-01 modified 2020-06-02 plugin id 21966 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21966 title CentOS 4 : pam (CESA-2005:805) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:805 and # CentOS Errata and Security Advisory 2005:805 respectively. # include("compat.inc"); if (description) { script_id(21966); script_version("1.17"); script_cvs_date("Date: 2019/10/25 13:36:03"); script_cve_id("CVE-2005-2977"); script_xref(name:"RHSA", value:"2005:805"); script_name(english:"CentOS 4 : pam (CESA-2005:805)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An updated pam package that fixes a security weakness is now available for Red Hat Enterprise Linux 4. This update has been rated as having low security impact by the Red Hat Security Response Team. PAM (Pluggable Authentication Modules) is a system security tool that allows system administrators to set an authentication policy without having to recompile programs that handle authentication. A bug was found in the way PAM's unix_chkpwd helper program validates user passwords when SELinux is enabled. Under normal circumstances, it is not possible for a local non-root user to verify the password of another local user with the unix_chkpwd command. A patch applied that adds SELinux functionality makes it possible for a local user to use brute-force password guessing techniques against other local user accounts. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2977 to this issue. All users of pam should upgrade to this updated package, which contains backported patches to correct these issues." ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012337.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6c158255" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012340.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?334f03ff" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012341.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b92a07dd" ); script_set_attribute(attribute:"solution", value:"Update the affected pam packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:pam-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/01"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/05"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 4.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-4", reference:"pam-0.77-66.13")) flag++; if (rpm_check(release:"CentOS-4", reference:"pam-devel-0.77-66.13")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pam / pam-devel"); }
Oval
| accepted | 2013-04-29T04:03:14.334-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does not log failed guesses or delay its responses. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10193 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The SELinux version of PAM before 0.78 r3 allows local users to perform brute force password guessing attacks via unix_chkpwd, which does not log failed guesses or delay its responses. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://cvs.sourceforge.net/viewcvs.py/pam/Linux-PAM/NEWS?rev=1.6&view=markup
- http://secunia.com/advisories/17346
- http://secunia.com/advisories/17350
- http://secunia.com/advisories/17352
- http://secunia.com/advisories/17365
- http://securitytracker.com/id?1015111
- http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml
- http://www.redhat.com/support/errata/RHSA-2005-805.html
- http://www.securityfocus.com/bid/15217
- http://www.vupen.com/english/advisories/2005/2227
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168181
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10193