FreeBSD : FreeBSD -- pam_ssh() does not validate service names (e51d5b1a-4638-11e1-9f47-00e0815b8da8)
Medium Nessus Plugin ID 57740
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionSome third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line.
Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules.
SolutionUpdate the affected packages.