RHEL 6 / 7 : pam (RHSA-2015:1640)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.

Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An updated pam package that fixes one security issue is now available
for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Pluggable Authentication Modules (PAM) provide a system whereby
administrators can set up authentication policies without having to
recompile programs to handle authentication.

It was discovered that the _unix_run_helper_binary() function of PAM's
unix_pam module could write to a blocking pipe, possibly causing the
function to become unresponsive. An attacker able to supply large
passwords to the unix_pam module could use this flaw to enumerate
valid user accounts, or cause a denial of service on the system.

Red Hat would like to thank Sebastien Macke of Trustwave SpiderLabs
for reporting this issue.

All pam users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.

See also :


Solution :

Update the affected pam, pam-debuginfo and / or pam-devel packages.

Risk factor :

Medium / CVSS Base Score : 5.8
CVSS Temporal Score : 4.8
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 85530 ()

Bugtraq ID:

CVE ID: CVE-2015-3238

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now