GLSA Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Tue Jan 11, 2005 9:03 pm Post subject: [ GLSA 200501-22 ] poppassd_pam: Unauthorized password chang |
|
|
Gentoo Linux Security Advisory
Title: poppassd_pam: Unauthorized password changing (GLSA 200501-22)
Severity: high
Exploitable: remote
Date: January 11, 2005
Bug(s): #75820
ID: 200501-22
Synopsis
poppassd_pam allows anyone to change any user's password without authenticating the user first.
Background
poppassd_pam is a PAM-enabled server for changing system passwords that can be used to change POP server passwords.
Affected Packages
Package: net-mail/poppassd_ceti
Vulnerable: <= 1.0
Unaffected: >= 1.8.4
Architectures: All supported architectures
Package: net-mail/poppassd_pam
Vulnerable: <= 1.0
Architectures: All supported architectures
Description
Gentoo Linux developer Marcus Hanwell discovered that poppassd_pam did not check that the old password was valid before changing passwords. Our investigation revealed that poppassd_pam did not call pam_authenticate before calling pam_chauthtok.
Impact
A remote attacker could change the system password of any user, including root. This leads to a complete compromise of the POP accounts, and may also lead to a complete root compromise of the affected server, if it also provides shell access authenticated using system passwords.
Workaround
There is no known workaround at this time.
Resolution
All poppassd_pam users should migrate to the new package called poppassd_ceti: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/poppassd_ceti-1.8.4" | Note: Portage will automatically replace the poppassd_pam package by the poppassd_ceti package.
References
CAN-2005-0002
Last edited by GLSA on Sun May 07, 2006 4:54 pm; edited 1 time in total |
|