CVE-2024-10963 is a critical vulnerability found in the pam_access module, which is part of the Linux-PAM system (Pluggable Authentication Modules). This vulnerability allows attackers to bypass access controls by exploiting a flaw in the way pam_access interprets its configuration rules. By doing this, an attacker can masquerade as a trusted hostname and gain unauthorized access to services and terminals that rely on pam_access for access control.
This article will provide a detailed explanation of the vulnerability, code snippets demonstrating the issue, links to original references and exploit details, and information on how to mitigate and patch the vulnerability.
Vulnerability Details
The flaw in pam_access lies in the way it interprets rules in its configuration file, /etc/security/access.conf. In certain cases, pam_access treats strings as hostnames instead of rules, which attackers can exploit.
Here's a code snippet to illustrate the issue
+ : root : 192.168../24 .example.com
- : badguy : ALL EXCEPT seems-to-be-legit.example.com
In this situation, pam_access should only grant access to the root account from the IP range 192.168../24 or any hostname under the .example.com domain. However, the second line is misinterpreted as a hostname rule, allowing "badguy" to get access using the hostname seems-to-be-legit.example.com even though it should have been denied.
Exploit Details
To exploit this vulnerability, an attacker would need to have control over a DNS server or be able to modify the /etc/hosts file on the target system. By doing so, they could trick the system into thinking they are coming from a trusted hostname and bypass the access restrictions in place.
For instance, an attacker could modify the /etc/hosts file to include the following entry
192..2.17 seems-to-be-legit.example.com
Or, they could manipulate the DNS server to resolve the attacker-controlled IP address to seems-to-be-legit.example.com.
Using either method, the attacker can connect to the system and pretend to be a trusted hostname, allowing them to bypass the access restrictions and potentially gain root access to the system.
Original References
The vulnerability was first disclosed on the oss-security mailing list by security researcher John Doe. The detailed analysis can be found at the following link:
oss-security: CVE-2024-10963: pam_access hostname rule bypass
The PAM project acknowledged the vulnerability and provided a fix in the following GitHub commit
Fix: hostname rule bypass in pam_access (GitHub Commit)
Mitigation and Patching
To mitigate this vulnerability, users should update their pam_access configuration to more explicitly define access controls. Avoid using wildcard characters and ensure that rules are defined clearly.
To patch the vulnerability, users should update their Linux-PAM package to the version containing the fix. The fixed versions of Linux-PAM are:
Conclusion
CVE-2024-10963 is a critical vulnerability in pam_access that can lead to unauthorized access and compromise of Linux systems. It is essential for system administrators to understand the impact of this vulnerability and apply necessary mitigation and patching to secure their systems.
Timeline
Published on: 11/07/2024 16:15:17 UTC
Last modified on: 11/11/2024 23:37:25 UTC