Detections
Analytics

Debian dla-4306 : libpam-cracklib - security update

medium Nessus Plugin ID 265684

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4306 advisory.

 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4306-1 [email protected] https://www.debian.org/lts/security/ Bastien Roucaris September 21, 2025 https://wiki.debian.org/LTS
 - -------------------------------------------------------------------------

 Package : pam Version : 1.4.0-9+deb11u2 CVE ID : CVE-2024-22365 CVE-2025-6020 Debian Bug : 1061097 1107919

 Multiple vulnerabilities were found in PAM namespace module used to configure private namespaces for user sessions.

 CVE-2024-22365

 An attackers can cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.

 CVE-2025-6020

 pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

 For Debian 11 bullseye, these problems have been fixed in version 1.4.0-9+deb11u2.

 We recommend that you upgrade your pam packages.

 For the detailed security status of pam please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/pam

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libpam-cracklib packages.

See Also

https://security-tracker.debian.org/tracker/source-package/pam

https://security-tracker.debian.org/tracker/CVE-2024-22365

https://security-tracker.debian.org/tracker/CVE-2025-6020

https://packages.debian.org/source/bullseye/pam

Plugin Details

Severity: Medium

ID: 265684

File Name: debian_DLA-4306.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/21/2025

Updated: 9/21/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2024-22365

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libpam-modules, p-cpe:/a:debian:debian_linux:libpam-doc, p-cpe:/a:debian:debian_linux:libpam-runtime, p-cpe:/a:debian:debian_linux:libpam-cracklib, p-cpe:/a:debian:debian_linux:libpam0g-dev, p-cpe:/a:debian:debian_linux:libpam-modules-bin, p-cpe:/a:debian:debian_linux:libpam0g

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/21/2025

Vulnerability Publication Date: 6/13/2023

Reference Information

CVE: CVE-2024-22365, CVE-2025-6020