Improper Authorization in fredhutch/motuz

Valid

Reported on

Mar 7th 2022


Description

When motuz is configured for PAM authentification it skips checking authorization completely. Therefore unprivileged expired accounts and accounts with expired passwords can still login.

Proof of Concept

You can expire an account with chage -E0 <username> and still login.

Impact

Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login. To circumvent this, after an successful call to pam_authenticateit is necessary to call pam_acct_mgmt.

References

We are processing your report and will contact the fredhutch/motuz team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
ysf submitted a
3 months ago
We have contacted a member of the fredhutch/motuz team and are waiting to hear back 3 months ago
fredhutch/motuz maintainer validated this vulnerability 3 months ago
ysf has been awarded the disclosure bounty
The fix bounty is now up for grabs
fredhutch/motuz maintainer confirmed that a fix has been merged on b5a95c 3 months ago
ysf has been awarded the fix bounty
to join this conversation