ID CVE-2010-4708
Summary The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check.
References
Vulnerable Configurations
  • Linux-PAM 0.99.1.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.1.0
  • Linux-PAM 0.99.2.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.2.0
  • Linux-PAM 0.99.2.1
    cpe:2.3:a:linux-pam:linux-pam:0.99.2.1
  • Linux-PAM 0.99.3.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.3.0
  • Linux-PAM 0.99.4.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.4.0
  • Linux-PAM 0.99.5.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.5.0
  • Linux-PAM 0.99.6.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.0
  • Linux-PAM 0.99.6.1
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.1
  • Linux-PAM 0.99.6.2
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.2
  • Linux-PAM 0.99.6.3
    cpe:2.3:a:linux-pam:linux-pam:0.99.6.3
  • Linux-PAM 0.99.7.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.7.0
  • Linux-PAM 0.99.7.1
    cpe:2.3:a:linux-pam:linux-pam:0.99.7.1
  • Linux-PAM 0.99.8.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.8.0
  • Linux-PAM 0.99.8.1
    cpe:2.3:a:linux-pam:linux-pam:0.99.8.1
  • Linux-PAM 0.99.9.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.9.0
  • Linux-PAM 0.99.10.0
    cpe:2.3:a:linux-pam:linux-pam:0.99.10.0
  • Linux-PAM 1.0.0
    cpe:2.3:a:linux-pam:linux-pam:1.0.0
  • Linux-PAM 1.0.1
    cpe:2.3:a:linux-pam:linux-pam:1.0.1
  • Linux-PAM 1.0.2
    cpe:2.3:a:linux-pam:linux-pam:1.0.2
  • Linux-PAM 1.0.3
    cpe:2.3:a:linux-pam:linux-pam:1.0.3
  • Linux-PAM 1.0.4
    cpe:2.3:a:linux-pam:linux-pam:1.0.4
  • Linux-PAM 1.1.0
    cpe:2.3:a:linux-pam:linux-pam:1.1.0
  • Linux-PAM 1.1.1
    cpe:2.3:a:linux-pam:linux-pam:1.1.1
  • Linux-PAM 1.1.2
    cpe:2.3:a:linux-pam:linux-pam:1.1.2
CVSS
Base: 7.2 (as of 25-01-2011 - 12:46)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0891.NASL
    description Updated pam packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. It was discovered that the pam_namespace module executed the external script namespace.init with an unchanged environment inherited from an application calling PAM. In cases where such an environment was untrusted (for example, when pam_namespace was configured for setuid applications such as su or sudo), a local, unprivileged user could possibly use this flaw to escalate their privileges. (CVE-2010-3853) It was discovered that the pam_env and pam_mail modules used root privileges while accessing user's files. A local, unprivileged user could use this flaw to obtain information, from the lines that have the KEY=VALUE format expected by pam_env, from an arbitrary file. Also, in certain configurations, a local, unprivileged user using a service for which the pam_mail module was configured for, could use this flaw to obtain limited information about files or directories that they do not have access to. (CVE-2010-3435) Note: As part of the fix for CVE-2010-3435, this update changes the default value of pam_env's configuration option user_readenv to 0, causing the module to not read user's ~/.pam_environment configuration file by default, as reading it may introduce unexpected changes to the environment of the service using PAM, or PAM modules consulted after pam_env. It was discovered that the pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it read an arbitrary input file. (CVE-2010-3316) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting the CVE-2010-3435 issue. All pam users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 50644
    published 2010-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50644
    title RHEL 6 : pam (RHSA-2010:0891)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201206-31.NASL
    description The remote host is affected by the vulnerability described in GLSA-201206-31 (Linux-PAM: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Linux-PAM. Please review the CVE identifiers referenced below for details. Impact : A local attacker could use specially crafted files to cause a buffer overflow, possibly resulting in privilege escalation or Denial of Service. Furthermore, a local attacker could execute specially crafted programs or symlink attacks, possibly resulting in data loss or disclosure of sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 59704
    published 2012-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59704
    title GLSA-201206-31 : Linux-PAM: Multiple vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0891.NASL
    description From Red Hat Security Advisory 2010:0891 : Updated pam packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs that handle authentication. It was discovered that the pam_namespace module executed the external script namespace.init with an unchanged environment inherited from an application calling PAM. In cases where such an environment was untrusted (for example, when pam_namespace was configured for setuid applications such as su or sudo), a local, unprivileged user could possibly use this flaw to escalate their privileges. (CVE-2010-3853) It was discovered that the pam_env and pam_mail modules used root privileges while accessing user's files. A local, unprivileged user could use this flaw to obtain information, from the lines that have the KEY=VALUE format expected by pam_env, from an arbitrary file. Also, in certain configurations, a local, unprivileged user using a service for which the pam_mail module was configured for, could use this flaw to obtain limited information about files or directories that they do not have access to. (CVE-2010-3435) Note: As part of the fix for CVE-2010-3435, this update changes the default value of pam_env's configuration option user_readenv to 0, causing the module to not read user's ~/.pam_environment configuration file by default, as reading it may introduce unexpected changes to the environment of the service using PAM, or PAM modules consulted after pam_env. It was discovered that the pam_xauth module did not verify the return values of the setuid() and setgid() system calls. A local, unprivileged user could use this flaw to execute the xauth command with root privileges and make it read an arbitrary input file. (CVE-2010-3316) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting the CVE-2010-3435 issue. All pam users should upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68144
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68144
    title Oracle Linux 6 : pam (ELSA-2010-0891)
redhat via4
advisories
bugzilla
id 643043
title CVE-2010-3853 pam: pam_namespace executes namespace.init with service's environment
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment pam is earlier than 0:1.1.1-4.el6_0.1
        oval oval:com.redhat.rhsa:tst:20100891005
      • comment pam is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100891006
    • AND
      • comment pam-devel is earlier than 0:1.1.1-4.el6_0.1
        oval oval:com.redhat.rhsa:tst:20100891007
      • comment pam-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100891008
rhsa
id RHSA-2010:0891
released 2010-11-16
severity Moderate
title RHSA-2010:0891: pam security update (Moderate)
rpms
  • pam-0:1.1.1-4.el6_0.1
  • pam-devel-0:1.1.1-4.el6_0.1
refmap via4
bid 46046
confirm
gentoo GLSA-201206-31
misc https://bugzilla.redhat.com/show_bug.cgi?id=641335
mlist [oss-security] 20100928 Re: Minor security flaw with pam_xauth
secunia 49711
xf linuxpam-pamenv-priv-escalation(65037)
Last major update 23-07-2012 - 23:25
Published 24-01-2011 - 14:00
Last modified 03-01-2019 - 10:01
Back to Top