ID CVE-2016-4422 Type cve Reporter NVD Modified 2016-05-10T10:24:22
Description
The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account.
{"openvas": [{"lastseen": "2017-07-24T12:55:02", "references": ["http://www.debian.org/security/2016/dsa-3567.html"], "pluginID": "703567", "description": "It was discovered that libpam-sshauth,\na PAM module to authenticate using an SSH server, does not correctly handle system\nusers. In certain configurations an attacker can take advantage of this flaw to\ngain root privileges.", "edition": 2, "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "published": "2016-05-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "Debian Security Advisory DSA 3567-1 (libpam-sshauth - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4422"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703567", "id": "OPENVAS:703567", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3567.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3567-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703567);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-4422\");\n script_name(\"Debian Security Advisory DSA 3567-1 (libpam-sshauth - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-05-04 00:00:00 +0200 (Wed, 04 May 2016)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3567.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libpam-sshauth on Debian Linux\");\n script_tag(name: \"insight\", value: \"This package provides a simple PAM\nauthentication mechanism using a remote SSH server. If the user is able to ssh\nto the server configured with libpam-sshauth, they're granted local access.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 0.3.1-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 0.4.1-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.4.1-2.\n\nWe recommend that you upgrade your libpam-sshauth packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that libpam-sshauth,\na PAM module to authenticate using an SSH server, does not correctly handle system\nusers. In certain configurations an attacker can take advantage of this flaw to\ngain root privileges.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpam-sshauth\", ver:\"0.3.1-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-sshauth\", ver:\"0.4.1-2\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:48:34", "references": ["http://www.debian.org/security/2016/dsa-3567.html"], "pluginID": "1361412562310703567", "description": "It was discovered that libpam-sshauth,\na PAM module to authenticate using an SSH server, does not correctly handle system\nusers. In certain configurations an attacker can take advantage of this flaw to\ngain root privileges.", "edition": 3, "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "published": "2016-05-04T00:00:00", "title": "Debian Security Advisory DSA 3567-1 (libpam-sshauth - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4422"], "modified": "2017-12-14T00:00:00", "id": "OPENVAS:1361412562310703567", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703567", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3567.nasl 8115 2017-12-14 07:30:22Z teissa $\n# Auto-generated from advisory DSA 3567-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703567\");\n script_version(\"$Revision: 8115 $\");\n script_cve_id(\"CVE-2016-4422\");\n script_name(\"Debian Security Advisory DSA 3567-1 (libpam-sshauth - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-14 08:30:22 +0100 (Thu, 14 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-05-04 00:00:00 +0200 (Wed, 04 May 2016)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3567.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"libpam-sshauth on Debian Linux\");\n script_tag(name: \"insight\", value: \"This package provides a simple PAM\nauthentication mechanism using a remote SSH server. If the user is able to ssh\nto the server configured with libpam-sshauth, they're granted local access.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthis problem has been fixed in version 0.3.1-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 0.4.1-2.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.4.1-2.\n\nWe recommend that you upgrade your libpam-sshauth packages.\");\n script_tag(name: \"summary\", value: \"It was discovered that libpam-sshauth,\na PAM module to authenticate using an SSH server, does not correctly handle system\nusers. In certain configurations an attacker can take advantage of this flaw to\ngain root privileges.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpam-sshauth\", ver:\"0.3.1-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-sshauth\", ver:\"0.4.1-2\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2016-09-02T18:19:28", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "0.3.1-1+deb8u1", "arch": "all", "packageFilename": "libpam-sshauth_0.3.1-1+deb8u1_all.deb", "packageName": "libpam-sshauth", "operator": "lt"}], "description": "It was discovered that libpam-sshauth, a PAM module to authenticate using an SSH server, does not correctly handle system users. In certain configurations an attacker can take advantage of this flaw to gain root privileges.\n\nFor the stable distribution (jessie), this problem has been fixed in version 0.3.1-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed in version 0.4.1-2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 0.4.1-2.\n\nWe recommend that you upgrade your libpam-sshauth packages.", "edition": 1, "reporter": "Debian", "published": "2016-05-04T00:00:00", "title": "libpam-sshauth -- security update", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4422"], "modified": "2016-05-04T00:00:00", "id": "DSA-3567", "href": "http://www.debian.org/security/dsa-3567", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-02T00:07:38", "references": ["https://packages.debian.org/source/jessie/libpam-sshauth", "http://www.debian.org/security/2016/dsa-3567"], "pluginID": "90897", "description": "It was discovered that libpam-sshauth, a PAM module to authenticate using an SSH server, does not correctly handle system users. In certain configurations an attacker can take advantage of this flaw to gain root privileges.", "edition": 5, "reporter": "Tenable", "published": "2016-05-05T00:00:00", "title": "Debian DSA-3567-1 : libpam-sshauth - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-4422"], "modified": "2016-10-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libpam-sshauth"], "id": "DEBIAN_DSA-3567.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90897", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3567. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90897);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2016/10/10 14:14:53 $\");\n\n script_cve_id(\"CVE-2016-4422\");\n script_xref(name:\"DSA\", value:\"3567\");\n\n script_name(english:\"Debian DSA-3567-1 : libpam-sshauth - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that libpam-sshauth, a PAM module to authenticate\nusing an SSH server, does not correctly handle system users. In\ncertain configurations an attacker can take advantage of this flaw to\ngain root privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libpam-sshauth\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2016/dsa-3567\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libpam-sshauth packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 0.3.1-1+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpam-sshauth\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libpam-sshauth\", reference:\"0.3.1-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
