Описание
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.
A vulnerability was found in a PAM module, the oath-toolkit. The module gained a feature that allowed placing the OTP state file, called the usersfile, in the home directory of the to-be-authenticated user. The PAM module performed unsafe file operations in the users' home directories. Since PAM stacks typically run as root, this flaw allows a malicious user to jeopardize an environment.
Отчет
This vulnerability is rated Important rather than Moderate due to its potential for full privilege escalation without requiring complex attack vectors. The flaw in the pam_oath.so module allows unprivileged users to manipulate file operations within their home directories to exploit symlink attacks, enabling them to overwrite critical system files, such as /etc/shadow, with root-level privileges. Since PAM stacks typically run as root, this exploitation does not involve race conditions or reliance on environmental factors, making the attack straightforward and highly impactful.
Ceph uses an affected oath-toolkit version. However, it does not use the affected methods and it is not vulnerable to this issue.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 4 | oath-toolkit | Out of support scope | ||
| Red Hat Ceph Storage 5 | oath-toolkit | Affected | ||
| Red Hat Openshift Container Storage 4 | oath-toolkit | Affected | ||
| Red Hat Ceph Storage 6.1 | ceph | Fixed | RHSA-2025:4238 | 28.04.2025 |
| Red Hat Ceph Storage 6.1 | oath-toolkit | Fixed | RHSA-2025:4238 | 28.04.2025 |
| Red Hat Ceph Storage 7.1 | ceph | Fixed | RHSA-2025:4664 | 07.05.2025 |
| Red Hat Ceph Storage 7.1 | oath-toolkit | Fixed | RHSA-2025:4664 | 07.05.2025 |
| Red Hat Ceph Storage 8.0 | ceph | Fixed | RHSA-2025:3635 | 07.04.2025 |
| Red Hat Ceph Storage 8.0 | oath-toolkit | Fixed | RHSA-2025:3635 | 07.04.2025 |
| Red Hat Ceph Storage 8.1 | ceph | Fixed | RHSA-2025:9775 | 26.06.2025 |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows ...
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink.
7.1 High
CVSS3