CVE-2024-10963 - PAM Access Vulnerability Explained — How Hostname Misinterpretation Can Lead to Unauthorized Access

On February 15, 2024, a critical security flaw was identified in pam_access, a widely-used Linux Pluggable Authentication Module (PAM) that controls access to system services and terminals based on configuration rules. This vulnerability, tracked as CVE-2024-10963, may allow an attacker to bypass access restrictions by exploiting a bug in how hostnames are processed.

This article dives deep into the issue, provides code snippets and example exploitation scenarios, and offers mitigation tips for admins.

What is pam_access?

pam_access is a PAM module that restricts or allows user logins based on the configuration in /etc/security/access.conf. The config file uses simple patterns and is often the first line of defense for systems like SSH servers, local consoles, and sensitive services.

A sample rule might look like

-:ALL EXCEPT admin:ALL
+:admin:192.168.1./24

This says: Nobody except the "admin" user can log in, and "admin" only from the local network.

What’s Wrong?

With CVE-2024-10963, certain rules in /etc/security/access.conf are misread as hostnames. This means if you set up patterns or exceptions (like EXCEPT or wildcards), they can be interpreted by pam_access as if they are actual machine hostnames.

So, an attacker could *pretend* to be a "trusted" host by setting their hostname (or IP, if DNS reverse resolves) to one matching a rule, and pam_access would accept them.

Example of a vulnerable rule

+:john:EXCEPT trustedhost

If the attacker’s machine reports trustedhost as its name, access *may be granted*, even if their actual address is not trusted!

Let’s say an admin writes

+:myadmin:EXCEPT backup-server

Admin means to block logins from backup-server, but all other sources are allowed for myadmin.

The attacker sets their machine’s hostname to backup-server. This can be done with

sudo hostnamectl set-hostname backup-server

Optionally, on a WiFi network, they assign themselves a matching IP and register a reverse DNS record.

Step 3: Attempted Login

The attacker tries to log in as myadmin over SSH or local terminal. If the system calls pam_access to check permissions, it looks up the hostname—gets backup-server—and *mistakenly* applies the “except” logic in reverse. Instead of denying access, it may grant it, depending on exact parsing.

Proof-of-Concept Code Snippet

The vulnerability comes from code that parses config rules and compares them to the remote hostname. In older or unpatched versions of pam_access (often part of pam or Linux-PAM), this section would not distinguish clearly between hostnames and config keywords.

Vulnerable Logic (pseudo-code)

if (strcmp(remote_hostname, rule_pattern) == ) {
    allow_access();
}

If rule_pattern was EXCEPT trustedhost and the hostname is trustedhost, this can be tricked.

What’s the Real-World Impact?

If you use pam_access to control sensitive accounts or entry points (like SSH, sudo, or system console), an attacker on your local network — or one who can spoof DNS for your server — might be able to log in just by faking a hostname match.

This is especially dangerous for high-value targets, jump hosts, or anywhere you use host/rule based restrictions.

Remediation: How to Protect Your Systems

1. Patch Immediately:
Major Linux vendors have already patched this vulnerability. Update your system’s pam package!
- For Debian/Ubuntu: sudo apt upgrade libpam-modules
- For Red Hat/CentOS: sudo yum update pam
- Manually from source: Linux-PAM GitHub

2. Harden Your Configs:
Avoid overly broad or ambiguous rules in access.conf. Use explicit hostnames or IPs.

Better

+:myadmin:192.168.1.10
-:myadmin:ALL

3. Audit Your Logs:
Check for suspicious logins, especially from hostnames matching internal keywords or exception patterns.

4. Validate Hostnames:
Where possible, set up PAM to use IP-based matching instead of DNS-based, or require both hostname and IP to match.

References

- Debian Security Advisory on CVE-2024-10963
- Red Hat CVE Page
- Linux-PAM pam_access Documentation
- NVD Entry for CVE-2024-10963

Summary

CVE-2024-10963 is a simple but severe bug: if your system uses pam_access rules with “except” or similar keywords, an attacker might trick the system by spoofing hostnames. Always keep PAM modules updated, review your access rules for clarity, and use explicit IP addresses whenever possible.

If you manage critical Linux systems, patch now and double-check your /etc/security/access.conf for risky patterns.

For more technical coverage and real-world examples like this, stay tuned to [YourSecurityFeed.com](#)!


*Exclusive coverage by [YourSecurityFeed.com](#) — If you found this helpful, please share with a systems admin today!*

Timeline

Published on: 11/07/2024 16:15:17 UTC
Last modified on: 11/11/2024 23:37:25 UTC