Topic: PAM security issue

[Brian Dall]

Just saw the following out on a news site -- I'm not sure if it affects SME Server or not . . . . can someone with more information confirm if this PAM setting is set correctly by default or if it is anything we SME users need to worry about??

---quote---from url http://www.smh.com.au/articles/2003/06/18/1055828363608.html
A vulnerability has been identified in Linux-PAM, which allows malicious, local users to escalate their privileges.

PAM stands for Pluggable Authentication Modules, a flexible mechanism for authenticating users.

One module, known as pam_wheel, is often used to allow users belonging to a trusted group to gain root status without supplying a password.

The vulnerability can kick in if the configuration file for pam_wheel has the "trust" option enabled and the "use_uid" option disabled.

Any local user can exploit this vulnerability to spoof log entries, or, in a worst case scenario, obtain super-user privileges.

A workaround suggested by iDefense, the company which revealed the flaw, is to enable the use_uid option in the pam_wheel configuration file.

A version of Linux-PAM which fixes the flaw has already been released.
---end quote---

Thanks,

-Brian

[Dan Brown]

In a default SME install, the only "local user" is root.  Of course, as always, potential security issues should be sent only to smesecurity@mitel.com.

[Brian Dall]

Sorry about posting to the forum rather than sending to the e-mail address.  

I presume that is for home/free users as well as paid corporate users?  Would they send an answer back?

Is there a way for me to remove a post I created if you don't want it out here?

-Brian

[Dan Brown]

That address is for everybody, and they seem to respond even if you're not a paid user (at least, I've gotten responses from them when I've sent in issues, and I'm not a paying user).  No way to cancel the post, though, that I know of.