Clarification for an old CVE's mention of PAM (CVE-2007-2768)
search cancel

Clarification for an old CVE's mention of PAM (CVE-2007-2768)

book

Article ID: 236685

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Customer pointed to a CVE-2007-2768 being called out in a vulnerability scan report from their PAM environment.  This CVE related article can be accessed via the link -  https://nvd.nist.gov/vuln/detail/CVE-2007-2768 

CVE-2007-2768 Detail
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. 

Environment

PAM 3.x and above

Cause

Clarification for mention of PAM in CVE-2007-2768

Resolution

The CVE was created in 2007 which is 15  years old  at the time of writing this KB. This CVE is precisely pointing to PAM using One Time Password which is not relevant to current Symantec PAM (Privileged Access Manager) design.

Additionally, this vulnerability in the vulnerability scan report is not directed to Symantec PAM but to some devices that are accessed through the PAM Client. Since the Vulnerability scan report mentioned PAM the customer's Security Team concluded this was a PAM vulnerability. In reality, the Security Team  should engage the owners of the devices that were accessed by PAM. The report mentions OPIE for PAM but this abbreviation is for (One-Time Passwords in Everything for pluggable authentication module) not the Symantec PAM .

Additional Information

FYI only - Broadcom executes penetration testing on its released/certified version of PAM. The penetration test reports are not released to customers but are to ensure we have a secure product given the market we serve. Also we run the standard back-box scans and code scans looking for issues too.