7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
24.9%
Problem Description
The opiepasswd(1) program uses getlogin(2) to identify the
user calling opiepasswd(1). In some circumstances
getlogin(2) will return “root” even when running as an
unprivileged user. This causes opiepasswd(1) to allow an
unpriviled user to configure OPIE authentication for the root
user.
Impact
In certain cases an attacker able to run commands as a non
privileged users which have not explicitly logged in, for
example CGI scripts run by a web server, is able to configure
OPIE access for the root user. If the attacker is able to
authenticate as root using OPIE authentication, for example if
“PermitRootLogin” is set to “yes” in sshd_config or the
attacker has access to a local user in the “wheel” group, the
attacker can gain root privileges.
Workaround
Disable OPIE authentication in PAM:
or
Remove the setuid bit from opiepasswd: