Lucene search
+L

NewStart CGSL MAIN 6.06 (SP) : pam Multiple Vulnerabilities (NS-SA-2026-0005)

🗓️ 06 Mar 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 7 Views

Linux PAM on NewStart CGSL MAIN 6.06 has multiple local privilege and information leakage flaws.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2026-0005. The text
# itself is copyright (C) ZTE, Inc.
##

include('compat.inc');

if (description)
{
  script_id(301209);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/06");

  script_cve_id(
    "CVE-2007-0003",
    "CVE-2009-0579",
    "CVE-2010-3316",
    "CVE-2010-3435",
    "CVE-2010-3853",
    "CVE-2013-7041",
    "CVE-2014-2583"
  );

  script_name(english:"NewStart CGSL MAIN 6.06 (SP) : pam Multiple Vulnerabilities (NS-SA-2026-0005)");

  script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 6.06 (SP), has pam packages installed that are affected by multiple
vulnerabilities:

  - pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of
    the invoking application or service during execution of the namespace.init script, which might allow local
    users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as
    demonstrated by the sudo program. (CVE-2010-3853)

  - pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password
    hash, as stored in /etc/passwd or /etc/shadow, has only two characters. (CVE-2007-0003)

  - Linux-PAM before 1.0.4 does not enforce the minimum password age (MINDAYS) as specified in /etc/shadow,
    which allows local users to bypass intended security policy and change their passwords sooner than
    specified. (CVE-2009-0579)

  - The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does
    not check the return values of the setuid, setgid, and setgroups system calls, which might allow local
    users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.
    (CVE-2010-3316)

  - The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during
    read access to files and directories that belong to arbitrary user accounts, which might allow local users
    to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink
    attack on the .pam_environment file in a user's home directory. (CVE-2010-3435)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2026-0005");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2007-0003");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2009-0579");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2010-3316");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2010-3435");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2010-3853");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2013-7041");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2014-2583");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL pam packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-0003");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2010-3853");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:pam");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:pam-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');

if (os_release !~ "CGSL\sMAIN\s6\.06\s\(SP\)")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.06 (SP)');

if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);

var flag = 0;

var pkgs = {
  'CGSL MAIN 6.06 (SP)': [
    'pam-1.3.1-16.0.1.zncgsl6_6.1.t1.0',
    'pam-devel-1.3.1-16.0.1.zncgsl6_6.1.t1.0'
  ]
};
var pkg_list = pkgs[os_release];
var pkg;
foreach (pkg in pkg_list)
  if (rpm_check(reference:pkg, release:'ZTE ' + os_release, rpm_spec_vers_cmp:TRUE)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pam');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Mar 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 27.2
EPSS0.04121
7