CVE-2019-16729
📋 TL;DR
CVE-2019-16729 is a privilege escalation vulnerability in pam-python that allows local users to gain root privileges by manipulating Python environment variables. This affects systems using pam-python for authentication with vulnerable versions. The vulnerability stems from improper handling of Python's default environment variables in PAM modules.
💻 Affected Systems
- pam-python
📦 What is this software?
Pam Python by Pam Python Project
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, and persistence.
Likely Case
Local user with shell access escalates to root to install malware, modify system configurations, or access sensitive data.
If Mitigated
Attack fails due to proper access controls, SELinux/apparmor restrictions, or lack of local user accounts.
🎯 Exploit Status
Exploit requires local user access and knowledge of the system's PAM configuration. Proof of concept code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.7-1 and later
Vendor Advisory: https://usn.ubuntu.com/4552-1/
Restart Required: No
Instructions:
1. Update pam-python package: sudo apt update && sudo apt upgrade pam-python (Debian/Ubuntu) or use your distribution's package manager. 2. Verify version is 1.0.7-1 or higher. 3. No service restart required, but PAM modules will use new version on next authentication.
🔧 Temporary Workarounds
Remove pam-python from PAM configuration
linuxTemporarily disable pam-python module from PAM authentication stack if not essential
sudo sed -i '/pam_python.so/d' /etc/pam.d/*
sudo systemctl restart systemd-logind
Restrict Python environment variables
linuxSet restrictive environment variables for PAM Python execution
sudo echo 'PYTHONPATH=' >> /etc/environment
sudo echo 'PYTHONHOME=' >> /etc/environment
🧯 If You Can't Patch
- Remove local user accounts that are not strictly necessary
- Implement strict access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check pam-python version: dpkg -l | grep pam-python (Debian/Ubuntu) or rpm -q pam-python (RHEL/SUSE). If version is earlier than 1.0.7-1, system is vulnerable.Check Version:
dpkg -l | grep pam-python || rpm -q pam-python || apt-cache policy pam-pythonVerify Fix Applied:
Verify pam-python version is 1.0.7-1 or higher: dpkg -l | grep pam-python should show version 1.0.7-1 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual PAM authentication failures
- Unexpected Python module loads in PAM context
- Sudden privilege changes for local users
Network Indicators:
- None - this is local exploitation only
SIEM Query:
source="auth.log" AND ("pam_python" OR "python") AND ("failure" OR "error")🔗 References
- https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
- https://lists.debian.org/debian-lts-announce/2019/11/msg00020.html
- https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/
- https://tracker.debian.org/news/1066790/accepted-pam-python-107-1-source-amd64-all-into-unstable/
- https://usn.ubuntu.com/4552-1/
- https://usn.ubuntu.com/4552-2/
- https://www.debian.org/security/2019/dsa-4555
- https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1
- https://lists.debian.org/debian-lts-announce/2019/11/msg00020.html
- https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/
- https://tracker.debian.org/news/1066790/accepted-pam-python-107-1-source-amd64-all-into-unstable/
- https://usn.ubuntu.com/4552-1/
- https://usn.ubuntu.com/4552-2/
- https://www.debian.org/security/2019/dsa-4555
