<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Gollub, Daniel" <daniel.gollub () intl att com>
Date: Mon, 8 Jun 2020 08:59:02 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
References: CVE-2020-13881, pam_tacplus#149
TACACS+ shared secret gets logged (syslog) by the PAM tacplus [1], if the
PAM module is configured with the debug parameter. The secrets get logged
at DEBUG loglevel.
pam_tacplus 1.5.3 avoids the logging of the secret, via upstream commit
4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0 [2].
The original README of pam_tacplus held a configuration example with the
debug parameter set, which might have resulted in some setups, which are
running in debug-mode, based on the example configuration.
This issue got reported by Adarsh Pandey from Arista Networks [3].
[1] https://github.com/kravietz/pam_tacplus/
[2] https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0
[3] https://github.com/kravietz/pam_tacplus/issues/149
Thanks
Daniel
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-13881: pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if configured with debug parameter Gollub, Daniel (Jun 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->