PAM 0.76 treats a disabled password as if it were an empty (null) password, which allows local and remote malicious users to gain privileges as disabled users.
A serious security violation in PAM was discovered
Disabled passwords (ie those with '*' in the
password file) were classified as empty password and access to such
accounts is granted through the regular login procedure (getty,
telnet, ssh) This works for all such accounts whose shell field in
the password file does not refer to /bin/false
Onl ...