Bug 1179166 (CVE-2020-27780) - VUL-0: CVE-2020-27780: pam: bypass of password base authentication if user does not exist and root password is blank
Summary: VUL-0: CVE-2020-27780: pam: bypass of password base authentication if user do...
Status: RESOLVED FIXED
Alias: CVE-2020-27780
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Critical (vote)
Target Milestone: ---
Assignee: Josef Möllers
QA Contact: E-mail List
URL: https://smash.suse.de/issue/272203/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-24 17:06 UTC by Marcus Meissner
Modified: 2023-04-06 09:55 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-11-24 17:06:52 UTC 
https://github.com/linux-pam/linux-pam/issues/284

https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb

This seems to allow bypass of authentication.

(Not fully clear on the circumstances that allow this.)
Comment 1 Marcus Meissner 2020-11-24 17:11:27 UTC 
https://github.com/linux-pam/linux-pam/commit/28b8c7045ac8ea4ea080bce02a2df9e3b9e98f06

This only affects PAM 1.5.0, older versions are not affected.
Comment 2 Thorsten Kukuk 2020-11-25 12:42:55 UTC 
(In reply to Marcus Meissner from comment #0)

> (Not fully clear on the circumstances that allow this.)

Only if root as no password and if you allow root to login with no password (so nullok option is used).

Nothing of this should be anywhere used or the default.
Comment 3 Thorsten Kukuk 2020-11-27 09:43:50 UTC 
I updated the package to version 1.5.1
Comment 4 OBSbugzilla Bot 2020-11-27 10:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1179166) was mentioned in
https://build.opensuse.org/request/show/851278 Factory / pam