Bug 1901094 (CVE-2020-27780) - CVE-2020-27780 pam: authentication bypass when the user doesn't exist and root password is blank
Summary: CVE-2020-27780 pam: authentication bypass when the user doesn't exist and roo...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-27780
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1901173
Blocks: Embargoed1900800
TreeView+ depends on / blocked
 
Reported: 2020-11-24 13:41 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-10 15:25 UTC (History)
4 users (show)

Fixed In Version: pam 1.5.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Linux-PAM in the way it handles empty passwords for non-existing users. When the user doesn't exist, PAM tries to authenticate with root and with an empty password, authentication is successful. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-11-24 17:34:06 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-24 13:41:15 UTC 
A flaw was found in Linux-Pam in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Reference:
https://github.com/linux-pam/linux-pam/issues/284

Upstream patch:
https://github.com/linux-pam/linux-pam/pull/300
Comment 1 Stefan Cornelius 2020-11-24 16:25:18 UTC 
Introduced in version 1.5.0.
Comment 2 Stefan Cornelius 2020-11-24 16:32:01 UTC 
Created pam tracking bugs for this issue:

Affects: fedora-all [bug 1901173]
Comment 3 Product Security DevOps Team 2020-11-24 17:34:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27780
Note You need to log in before you can comment on or make changes to this bug.