Operating System:

[LINUX][Debian]

Published:

18 March 2021

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2021.0943 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0943
                          shadow security update
                               18 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           shadow
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   Linux variants
Impact/Access:     Increased Privileges -- Existing Account
                   Denial of Service    -- Existing Account
                   Reduced Security     -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-20002 CVE-2017-12424 

Original Bulletin: 
   https://www.debian.org/lts/security/2021/dla-2596

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running shadow check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2596-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
March 17, 2021                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : shadow
Version        : 1:4.4-4.1+deb9u1
CVE ID         : CVE-2017-12424 CVE-2017-20002
Debian Bug     : 756630 914957

Several vulnerabilities were discovered in the shadow suite of login
tools. An attacker may escalate privileges in specific configurations.

CVE-2017-20002

    Shadow incorrectly lists pts/0 and pts/1 as physical terminals in
    /etc/securetty. This allows local users to login as password-less
    users even if they are connected by non-physical means such as SSH
    (hence bypassing PAM's nullok_secure configuration). This notably
    affects environments such as virtual machines automatically
    generated with a default blank root password, allowing all local
    users to escalate privileges. It should be noted however that
    /etc/securetty will be dropped in Debian 11/bullseye.

CVE-2017-12424

    The newusers tool could be made to manipulate internal data
    structures in ways unintended by the authors. Malformed input may
    lead to crashes (with a buffer overflow or other memory
    corruption) or other unspecified behaviors. This crosses a
    privilege boundary in, for example, certain web-hosting
    environments in which a Control Panel allows an unprivileged user
    account to create subaccounts.

For Debian 9 stretch, these problems have been fixed in version
1:4.4-4.1+deb9u1.

We recommend that you upgrade your shadow packages.

For the detailed security status of shadow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shadow

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmBR/ToACgkQDTl9HeUl
XjA89g//dGhD8r80YlY0Fsz/tXKIqdxZ+amDVNcmi5V5qmI76yMpSYVQNR7rXbcq
d5LS8hMSvksextF9cwu9oo9JUXkY7mUg1O+dzehF9UtQn8Jv9BdQmt9Nn+O9jPmD
ypKxHApNs0MfOmAvP7LZzykxmLovXGoyy+OpaxIAZpiNwzKRmifSa79kanm/41mr
O8roJ4bV6wm2q7kvhBkR12kMaIM6ft8p3Fq4NXCQ/VVjydNYypn/rwAn/0JjQQvC
AP606tEvRoApPhs9299q2YZ2tA3I6W2ZwjwiM+qgiOc3Hd8OnhQ/QInYy0YdC6iA
h60xxj98kof8diwS9eYwntM6a1BwsM2XwK18Ye11odlwVUBap7uO7+LlxrqQz/gF
CpAXyJiEZJE1t6yBAhGHhb2QzkbYXiq40aujZ7Tpu9VQJz76ARuchm78OELYy07Z
r8Bvrz/DDt7sS0MfCEqRCvDhpH3Bh3FX5SG2nBBEpm5rMFDL5hND2541h/PEK35s
ZBtlki4fU2YBqsALpGeW6QkvHRE3kyiZrDh9bdM/XtSXLaUmBLyBESoFUGxx+PMN
ffNj84BgJsasLk+RQG/IHpNIjnwsrTnnWE5CyiMId1lA/em3tHHX2mW00hnCtV07
E3FOUo0mm5ljZiHz0qhodGRWTW3K6C1m3vb0I3COX6XzWx+6XNQ=
=Nqeb
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYFKSOONLKJtyKPYoAQjsFA/7B/5bvkTdnQ7BwAoeKHjycyHOuljs8/SG
X89mIdBgf5qbek2TnRPr3AvlcH7Dj6mQVHu9ry/WIfWdSHthi/BhuhFTXxjQyPA/
kuAw+g1yxI6GlUr/eUOzsc2B3N/jSB28DnbjsUyJMyalr6ZB9hGtj5dsKBseQlfg
4fbAlkleVKMMyYvQpjbBWCmCAzcP50vrY4FJsUeiuhB604eVdvv9n4EBp/5psrSQ
2WVbwV2PT3x/+N05RUQ4zVeg67DAHXOGbkNXtnXLL5zm4FrR0bAHRqnLv+LQcpUh
2gkERyku7H2rMjVv+gXfdhqWZmWAYkHQZ2eQqYq7jGgzaAVTBOFdgzYv+59XzAHg
k1BM9l2tBxKBZ3IYqtyEQ0xqy9/AL7Tmr8INKkHJWBmu08POe5h1gwRhgFtsn95P
bjXAo11e3Hf50bFvMfnfCSRWPxdQENiqTOeu41Hd6tC7KXt/JiZd94k0AZHi9But
cBW2DIPi/7L8OfD82eHhBAHtpA3OhIWqS64A1Lxkjoq8L/JzrdNwyr5eUfxYnodp
jSPXba9eK+7WEBjPl5ZQiOLsYNNMDP5aYYV6ASK++cDV2l7Owss7f8ZqBc4e0mI9
ton11DtERyLOJyimMMDxiXOtIzfFJsBAOLNB5VocD8g+Q+QTtUwnShVF+fWycDS1
AaTO7qK+2ck=
=dV4A
-----END PGP SIGNATURE-----