PT-2014-2154 · Canonical · Libpam-Modules
Stephane Chazelas
·
Published
2014-04-15
·
Updated
2014-04-16
·
CVE-2011-3628
CVSS v2.0
6.9
Medium
| Vector | AV:L/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
libpam-modules versions prior to 1.1.3-2ubuntu2.1 on Ubuntu 11.10
libpam-modules versions prior to 1.1.2-2ubuntu8.4 on Ubuntu 11.04
libpam-modules versions prior to 1.1.1-4ubuntu2.4 on Ubuntu 10.10
libpam-modules versions prior to 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS
libpam-modules versions prior to 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS
Description
The issue allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command. This can be achieved when using certain configurations, such as "session optional pam motd.so", in conjunction with the pam motd module in libpam-modules. The exploitation can be demonstrated via the uname command.
Recommendations
For libpam-modules versions prior to 1.1.3-2ubuntu2.1 on Ubuntu 11.10, update to version 1.1.3-2ubuntu2.1 or later.
For libpam-modules versions prior to 1.1.2-2ubuntu8.4 on Ubuntu 11.04, update to version 1.1.2-2ubuntu8.4 or later.
For libpam-modules versions prior to 1.1.1-4ubuntu2.4 on Ubuntu 10.10, update to version 1.1.1-4ubuntu2.4 or later.
For libpam-modules versions prior to 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, update to version 1.1.1-2ubuntu5.4 or later.
For libpam-modules versions prior to 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, update to version 0.99.7.1-5ubuntu6.5 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Libpam-Modules