Vulnerability Description
pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 8.10 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927Issue TrackingMailing List
- http://secunia.com/advisories/36620Broken LinkVendor Advisory
- http://www.openwall.com/lists/oss-security/2009/09/08/7Mailing List
- http://www.securityfocus.com/bid/36306Broken LinkPatchThird Party Advisory
- https://launchpad.net/bugs/410171Issue TrackingPatch
- https://usn.ubuntu.com/828-1/Broken Link
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519927Issue TrackingMailing List
- http://secunia.com/advisories/36620Broken LinkVendor Advisory
- http://www.openwall.com/lists/oss-security/2009/09/08/7Mailing List
- http://www.securityfocus.com/bid/36306Broken LinkPatchThird Party Advisory
- https://launchpad.net/bugs/410171Issue TrackingPatch
- https://usn.ubuntu.com/828-1/Broken Link
FAQ
What is CVE-2009-3232?
CVE-2009-3232 is a vulnerability with a CVSS score of 9.3 (HIGH). pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which cau...
How severe is CVE-2009-3232?
CVE-2009-3232 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3232?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux.