Vulnerabilities > CVE-2019-16729
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| OS | 3 | |
| OS | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4555.NASL description Malte Kraus discovered that libpam-python, a PAM module allowing PAM modules to be written in Python, didn last seen 2020-06-01 modified 2020-06-02 plugin id 130369 published 2019-10-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130369 title Debian DSA-4555-1 : pam-python - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4555. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(130369); script_version("1.3"); script_cvs_date("Date: 2019/12/17"); script_cve_id("CVE-2019-16729"); script_xref(name:"DSA", value:"4555"); script_name(english:"Debian DSA-4555-1 : pam-python - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Malte Kraus discovered that libpam-python, a PAM module allowing PAM modules to be written in Python, didn't sanitise environment variables which could result in local privilege escalation if used with a setuid binary." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/pam-python" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/pam-python" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/pam-python" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4555" ); script_set_attribute( attribute:"solution", value: "Upgrade the pam-python packages. For the oldstable distribution (stretch), this problem has been fixed in version 1.0.6-1.1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.0.6-1.1+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:pam-python"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"libpam-python", reference:"1.0.6-1.1+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libpam-python-doc", reference:"1.0.6-1.1+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"libpam-python", reference:"1.0.6-1.1+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libpam-python-doc", reference:"1.0.6-1.1+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2000.NASL description It was discovered that pam-python, a PAM Module that runs the Python interpreter, has an issue in regard to the default environment variable handling of Python. This issue could allow for local root escalation in certain PAM setups. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 131245 published 2019-11-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131245 title Debian DLA-2000-1 : pam-python security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2000-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(131245); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-16729"); script_name(english:"Debian DLA-2000-1 : pam-python security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that pam-python, a PAM Module that runs the Python interpreter, has an issue in regard to the default environment variable handling of Python. This issue could allow for local root escalation in certain PAM setups. For Debian 8 'Jessie', this problem has been fixed in version 1.0.4-1.1+deb8u1. We recommend that you upgrade your pam-python packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/11/msg00020.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/pam-python" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected libpam-python, and libpam-python-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpam-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpam-python-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libpam-python", reference:"1.0.4-1.1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libpam-python-doc", reference:"1.0.4-1.1+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
- https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
- https://lists.debian.org/debian-lts-announce/2019/11/msg00020.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00020.html
- https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/
- https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/
- https://tracker.debian.org/news/1066790/accepted-pam-python-107-1-source-amd64-all-into-unstable/
- https://tracker.debian.org/news/1066790/accepted-pam-python-107-1-source-amd64-all-into-unstable/
- https://usn.ubuntu.com/4552-1/
- https://usn.ubuntu.com/4552-1/
- https://usn.ubuntu.com/4552-2/
- https://usn.ubuntu.com/4552-2/
- https://www.debian.org/security/2019/dsa-4555
- https://www.debian.org/security/2019/dsa-4555