Cloud Foundry Logo
blog single gear
Security Advisory

USN-2935-2 PAM regression

USN-2935-2 PAM regression

Severity

Low

Vendor

Ubuntu

Versions Affected

  • Ubuntu 14.04 LTS

Description

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem.

Original issues from USN-2935-1:

It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)

Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)

Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. (CVE-2015-3238)

Affected Products and Versions

Severity is low unless otherwise noted.

  • All versions of Cloud Foundry rootfs prior to 1.45.0
  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3215.4 are vulnerable

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.45.0 and higher
  • The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2

Credit

Sebastian Krahmer, Sebastien Macke

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES