Bug 1320865 (CVE-2016-3176) - CVE-2016-3176 salt: insecure configuration of PAM external authentication service
Summary: CVE-2016-3176 salt: insecure configuration of PAM external authentication ser...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-3176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1320867 1320868 1320869
Blocks: 1368051
TreeView+ depends on / blocked
 
Reported: 2016-03-24 08:50 UTC by Andrej Nemec
Modified: 2019-09-29 13:46 UTC (History)
6 users (show)

Fixed In Version: salt 2015.5.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:50:03 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-03-24 08:50:16 UTC
This issue involves passing an alternative PAM authentication service with a command that is sent to LocalClient, enabling the attacker to bypass the configured authentication service.

External references:

https://docs.saltstack.com/en/latest/topics/releases/2015.5.10.html
https://docs.saltstack.com/en/latest/topics/releases/2015.8.8.html

Comment 1 Andrej Nemec 2016-03-24 08:52:31 UTC
Created salt tracking bugs for this issue:

Affects: fedora-all [bug 1320867]
Affects: epel-6 [bug 1320868]
Affects: epel-7 [bug 1320869]


Note You need to log in before you can comment on or make changes to this bug.