Ubuntu 8.10 / 9.04 : pam vulnerability (USN-828-1)

Ubuntu Security Notice (C) 2009-2013 Canonical, Inc. / NASL script (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Russell Senior discovered that the system authentication module
selection mechanism for PAM did not safely handle an empty selection.
If an administrator had specifically removed the default list of
modules or failed to chose a module when operating debconf in a very
unlikely non-default configuration, PAM would allow any authentication
attempt, which could lead to remote attackers gaining access to a
system with arbitrary privileges. This did not affect default Ubuntu
installations.

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 40906 ()

Bugtraq ID:

CVE ID: CVE-2009-3232