Debian Security Advisory
DLA-2596-1 shadow -- LTS security update
- Date Reported:
- 17 Mar 2021
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 756630, Bug 914957.
In Mitre's CVE dictionary: CVE-2017-12424, CVE-2017-20002.
- More information:
Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may escalate privileges in specific configurations.
Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges. It should be noted however that /etc/securetty will be dropped in Debian 11/bullseye.
The newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
For Debian 9 stretch, these problems have been fixed in version 1:4.4-4.1+deb9u1.
We recommend that you upgrade your shadow packages.
For the detailed security status of shadow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/shadow
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS