The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAMs nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
Weakness
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shadow | Debian | 4.4 (including) | 4.4 (including) |
| Debian_linux | Debian | 9.0 (including) | 9.0 (including) |
| Shadow | Ubuntu | trusty | * |
| Shadow | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/122.html
- https://cwe.mitre.org/data/definitions/233.html
- https://cwe.mitre.org/data/definitions/58.html
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877374
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914957
- https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877374
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914957
- https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html