CVE-2020-27780
📋 TL;DR
This Linux-PAM vulnerability allows authentication bypass for non-existent users with empty passwords, effectively granting root access. It affects Linux systems using PAM for authentication with versions prior to 1.5.1. Any service using PAM authentication could be vulnerable.
💻 Affected Systems
- Linux-PAM (Pluggable Authentication Modules)
📦 What is this software?
Linux Pam by Linux Pam
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via root access on any vulnerable system, enabling complete control, data theft, and lateral movement.
Likely Case
Unauthorized access to systems and services using PAM authentication, potentially leading to privilege escalation and data exposure.
If Mitigated
Limited impact if strong network controls, proper authentication mechanisms, and monitoring are in place to detect unusual authentication attempts.
🎯 Exploit Status
Exploitation requires attempting authentication with a non-existent username and empty password. Simple to automate and execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux-PAM 1.5.1 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1901094
Restart Required: Yes
Instructions:
1. Update Linux-PAM package to version 1.5.1 or later using your distribution's package manager. 2. Restart affected services using PAM (e.g., SSH, login). 3. Verify the fix by testing authentication.
🔧 Temporary Workarounds
Disable empty password authentication
linuxConfigure PAM to reject empty passwords globally
Edit /etc/pam.d/common-auth or relevant PAM config files to include 'nullok_secure' or remove 'nullok' from password modules
Restrict authentication services
linuxLimit network access to services using PAM authentication
Use firewall rules (e.g., iptables, firewalld) to restrict SSH and other services to trusted IPs
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems and restrict access to authentication services
- Enable detailed logging for authentication attempts and monitor for failed/suspicious login patterns
🔍 How to Verify
Check if Vulnerable:
Check PAM version with 'pam-config --version' or 'rpm -q pam' on RPM systems, 'dpkg -l libpam*' on Debian-based systems. If version < 1.5.1, system is vulnerable.Check Version:
pam-config --version 2>/dev/null || rpm -q pam 2>/dev/null || dpkg -l libpam* 2>/dev/null | grep ^iiVerify Fix Applied:
After patching, test authentication with a non-existent user and empty password via SSH or local login; it should fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts for non-existent users with empty passwords in /var/log/auth.log, /var/log/secure
- Successful root authentication from unusual sources
Network Indicators:
- Multiple authentication attempts to SSH or other services with invalid usernames
- Unusual authentication patterns from unexpected IPs
SIEM Query:
source="auth.log" OR source="secure" (user="*" AND password="") OR (authentication SUCCESS for non-existent user)