|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200508-22] pam_ldap: Authentication bypass vulnerability Vulnerability Scan
Vulnerability Scan Summary pam_ldap: Authentication bypass vulnerability
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200508-22
(pam_ldap: Authentication bypass vulnerability)
When a pam_ldap client attempts to authenticate against an LDAP
server that omits the optional error value from the
PasswordPolicyResponseValue, the authentication attempt will always
succeed.
Impact
A remote attacker may exploit this vulnerability to bypass the
LDAP authentication mechanism, gaining access to the system possibly
with elevated rights.
Workaround
There is no known workaround at this time.
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2641
http://www.kb.cert.org/vuls/id/778916
Solution:
All pam_ldap users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-180"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|