Bugzilla – Bug 1197654
VUL-0: CVE-2022-28321: pam: access denial bypass in pam_access.so
Last modified: 2022-05-13 06:08:51 UTC
+++ This bug was initially created as a clone of Bug #1197021 +++
From: Thorsten Kukuk
when trying to push upstream an old patch from Josef Moellers for pam_access.so,
I run into a severe issue:
pam contains a patch pam-hostnames-in-access_conf.patch for bsc#1019866
"-:root:ALL EXCEPT localhost" does not work beside it is documented as
I tested the patch by using an openSUSE Tumbleweed VM, created test user "test0"
and used the following line in /etc/security/access.conf:
"-:test0:ALL EXCEPT 127.0.0.1"
I tried to login (ssh -l test0 <IP of VM> from the virtualisation host:
1. tested with our patch: I could login!
2. tested without our patch: the attemp got correctly blocked
It looks like the patch has a problem if you login from an IP address
which is not resolveable via DNS. You can login even if not permitted.
I only tested the patch we have in Tumbleweed. Since the patch got
modified 2020 by Josef, I have no idea if the problem is new or if it
exists already in the old patch. Which also had already a security
problem: bsc#1115640, use-correct-IP-address.patch, CVE-2018-17953
The problem seems to be the getaddrinfo (string, ...) around line 800, this
must be most likely getaddrinfo (tok, ...). With this change, this case
works for me. But I cannot do a full validation of all variants.
a fixed patch (which also fixes two memory leaks) can be found here:
With this version it looks like as if you cannot login anymore if your
IP is blocked.
Great, thanks guys!
I notice that SUSE:SLE-15:Update shipped the buggy patch without the fixing use-correct-IP-address.patch in revision 1. R2 fixed this 3 years ago.
SUSE:SLE-12:Update and SUSE:SLE-11-SP2:Update have never got the buggy patch.
To sum-up, openSUSE:Factory got the fix 2 weeks ago, Leap and SLE15 were vulnerable between r1 and r2 3 years ago. So we're fine
Still waiting for a CVE to be assigned. Closing anyway since everything is fixed.
CVE-2022-28321 was assigned.