Problem Description
The opiepasswd(1) program uses getlogin(2) to identify the
user calling opiepasswd(1). In some circumstances
getlogin(2) will return “root” even when running as an
unprivileged user. This causes opiepasswd(1) to allow an
unpriviled user to configure OPIE authentication for the root
user.
Impact
In certain cases an attacker able to run commands as a non
privileged users which have not explicitly logged in, for
example CGI scripts run by a web server, is able to configure
OPIE access for the root user. If the attacker is able to
authenticate as root using OPIE authentication, for example if
“PermitRootLogin” is set to “yes” in sshd_config or the
attacker has access to a local user in the “wheel” group, the
attacker can gain root privileges.
Workaround
Disable OPIE authentication in PAM:

sed -i “” -e /opie/s/^/#/ /etc/pam.d/*

or
Remove the setuid bit from opiepasswd:

chflags noschg /usr/bin/opiepasswd

chmod 555 /usr/bin/opiepasswd

chflags schg /usr/bin/opiepasswd