#VU35033 Input validation error in Debian Linux - CVE-2011-4120

Cybersecurity Help s.r.o.

Published: 2019-11-26 | Updated: 2020-08-08

Vulnerability identifier: #VU35033

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2011-4120

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Debian Linux
Operating systems & Components / Operating system

Vendor: Debian

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Yubico PAM Module before 2.10 performed user authentication when 'use_first_pass' PAM configuration option was not used and the module was configured as 'sufficient' in the PAM configuration. A remote attacker could use this flaw to circumvent common authentication process and obtain access to the account in question by providing a NULL value (pressing Ctrl-D keyboard sequence) as the password string.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Debian Linux: 8.0 - 9.0

External links
https://access.redhat.com/security/cve/cve-2011-4120
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4120
https://security-tracker.debian.org/tracker/CVE-2011-4120
https://www.openwall.com/lists/oss-security/2011/11/07/6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Debian Linux

Fedora EPEL 6 update for libyubikey, pam_yubico, ykclient