CVE-2016-20014 – This vulnerability in pam_tacplus before versio... (How to Fix)

Q: What is the severity of CVE-2016-20014?

CVE-2016-20014 has a CVSS score of 9.8 (CRITICAL). This vulnerability in pam_tacplus before version 1.4.1 allows attackers to potentially access sensitive authentication data due to improper memory handling. The pam_sm_acct_mgmt function fails to zero out the arep data structure after use, which could leave authentication information in memory. Systems using pam_tacplus for TACACS+ authentication are affected.

📋 TL;DR

This vulnerability in pam_tacplus before version 1.4.1 allows attackers to potentially access sensitive authentication data due to improper memory handling. The pam_sm_acct_mgmt function fails to zero out the arep data structure after use, which could leave authentication information in memory. Systems using pam_tacplus for TACACS+ authentication are affected.

💻 Affected Systems

Products:

pam_tacplus

Versions: All versions before 1.4.1

Operating Systems: Linux systems using PAM with pam_tacplus module

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where pam_tacplus is configured and used for authentication.

📦 What is this software?

Pam Tacplus by Pam Tacplus Project

View all CVEs affecting Pam Tacplus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive authentication credentials or session data from memory, leading to complete system compromise and lateral movement.

🟠

Likely Case

Information disclosure of authentication-related data that could facilitate further attacks or credential theft.

🟢

If Mitigated

Limited impact if proper memory protection mechanisms and access controls are in place.

🌐 Internet-Facing: MEDIUM - Requires TACACS+ authentication service exposure and specific conditions for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers with access to memory could potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires memory access and specific conditions to read leftover authentication data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1 and later

Vendor Advisory: https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab

Restart Required: No

Instructions:

1. Update pam_tacplus to version 1.4.1 or later. 2. Recompile and reinstall the PAM module. 3. No system restart required, but authentication services using pam_tacplus may need reloading.

🔧 Temporary Workarounds

Disable pam_tacplus

linux

Temporarily disable pam_tacplus module if not essential

# Comment out pam_tacplus lines in PAM configuration files
# Typically in /etc/pam.d/* files

🧯 If You Can't Patch

Implement strict access controls to limit who can access systems using pam_tacplus
Monitor for unusual authentication patterns or memory access attempts

🔍 How to Verify

Check if Vulnerable:

Check pam_tacplus version: 'pam_tacplus --version' or check installed package version

Check Version:

pam_tacplus --version 2>/dev/null || rpm -q pam_tacplus || dpkg -l | grep pam-tacplus

Verify Fix Applied:

Verify version is 1.4.1 or later and check PAM configuration files for pam_tacplus usage

📡 Detection & Monitoring

Log Indicators:

Unusual authentication failures
Multiple authentication attempts
Memory access errors in system logs

Network Indicators:

Unusual TACACS+ traffic patterns
Authentication requests from unexpected sources

SIEM Query:

source="*pam*" AND ("tacplus" OR "authentication failure")

📊 Metadata

CVE ID: CVE-2016-20014

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab Patch,Third Party Advisory
https://github.com/kravietz/pam_tacplus/commit/e4c00eba70a0f72c4de77b5f072c69708ec2beab Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON