Vulnerability Name:

CVE-2011-3628 (CCN-70937)

Assigned:2011-10-14
Published:2011-10-14
Updated:2014-04-16
Summary:Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, when using certain configurations such as "session optional pam_motd.so", allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command, as demonstrated via uname.
Per: http://cwe.mitre.org/data/definitions/426.html

"CWE-426: Untrusted Search Path"
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.9 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
5.1 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2011-3628

Source: CCN
Type: BID-50343
Linux-PAM 'pam_env' Module Multiple Local Privilege Escalation Vulnerabilities

Source: UBUNTU
Type: Vendor Advisory
USN-1237-1

Source: CONFIRM
Type: UNKNOWN
https://bugs.launchpad.net/ubuntu/%2Bsource/pam/%2Bbug/610125

Source: CCN
Type: Ubuntu Bug #610125
pam_motd runs commands as root with unsanitised environment

Source: XF
Type: UNKNOWN
linuxpam-pammotd-priv-escalation(70937)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:canonical:libpam-modules:0.9.7:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:libpam-modules:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:libpam-modules:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:canonical:libpam-modules:1.1.3:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:21292
    P
    		USN-1237-1 -- pam vulnerabilities
    2014-06-30
    BACK
    canonical libpam-modules 0.9.7
    canonical libpam-modules 1.1.1
    canonical libpam-modules 1.1.2
    canonical libpam-modules 1.1.3
    canonical ubuntu linux 8.04 -
    canonical ubuntu linux 10.04 -
    canonical ubuntu linux 10.10
    canonical ubuntu linux 11.04
    canonical ubuntu linux 11.10