Navigation
Search
|
oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)
Friday October 4, 2024. 05:28 PM , from LWN.net
The SUSE Security Team Blog has a detailed
report on its discovery of a privilege escalation in the oath-toolkit, which provides libraries and utilities for managing one-time password (OTP) authentication. Fellow SUSE engineer Fabian Vogt approached our Security Team about the project's PAM module. A couple of years ago, the module gained a feature which allows to place the OTP state file (called usersfile) in the home directory of the to-be-authenticated user. Fabian noticed that the PAM module performs unsafe file operations in users' home directories. Since PAM stacks typically run as root, this can easily cause security issues.
https://lwn.net/Articles/992948/
Related News |
25 sources
Current Date
Dec, Wed 18 - 13:16 CET
|