Improper Authorization in fredhutch/motuz

Valid

Reported on

Mar 7th 2022


Description

When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.

Impact

Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to pam_authenticateit is necessary to call pam_acct_mgmt.

References

We are processing your report and will contact the fredhutch/motuz team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
ysf submitted a
2 years ago
We have contacted a member of the fredhutch/motuz team and are waiting to hear back 2 years ago
fredhutch/motuz maintainer validated this vulnerability 2 years ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
fredhutch/motuz maintainer marked this as fixed in 0.2.0 with commit b5a95c 2 years ago
ysf has been awarded the fix bounty
to join this conversation