Customer sent a list of vulnerabilities to check if PAM is affected

Vulnerability: QID-38904: 3 - Medium - OpenSSH Remote Code Execution (RCE) Vulnerability in its forwarded ssh-agent

We have discovered this vulnerability (CVE-2023-38408) - It is a condition where specific libraries loaded via ssh-agent(1)'s PKCS#11

support could be abused to achieve remote code execution via a forwarded agent socket if the conditions mentioned here are met.

Response: This is a vulnerability in ssh-agent. PAM does not enable ssh-agent.

Vulnerability: QID-38987: 3 - Medium - OpenSSH User Enumeration Vulnerability (CVE-2018-15473)

Response: There is only one user who can login to PAM instance. It does not impact PAM.
 

Vulnerability: QID-38903: 3 - Medium - OpenSSH Probable User Enumeration Vulnerability

CVE-2016-20012: OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server,

to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session.

Response: There is only one user in PAM that can login with public key. That is the default user root.

Vulnerability: QID-731355: 80: 3 - Medium - Apache Hypertext Transfer Protocol Server (HTTP Server) Multiple Security Vulnerabilities (CVE-2023-38709, CVE-2024-24795)

Response: CVE-2023-38709, CVE-2024-24795: These vulnerabilities in Apache HTTP server. These can be exploited by having a malicious or compromised backend application which inject

new line in the http response headers to split the response into parts. These vulnerabilities does not apply to PAM as the PAM backend application is

within the PAM instance and Apache HTTP server inside pam does not forward requests any application outside of PAM instance.

Vulnerability: QID-38902: 3 - Medium - OpenSSH Man-in-the-Middle (MITM) Attack Vulnerability

CVE-2020-14145:The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation.

This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

NOTE: some reports state that 8.5 and 8.6 are also affected.

Response: This is a vulnerability in the OpenSSH Client not on the server, so it does not impact PAM.

Vulnerability: QID-38900: 3 - Medium - OpenSSH Public-Key Authentication Vulnerability

CVE-2021-36368: If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the

server to support the None authentication option, then the user cannot determine whether FIDO authentication is going to confirm that the user wishes to connect

to that server, or that the user wishes to allow that server to connect to a different server on the user's behalf.

Response: This is a vulnerability in OpenSSH Client. Exploitation of this vulnerability needs a the server to have None authentication scheme set which is not the case with PAM.

This does not affect PAM.

36270277