Skip to main content
Version: latest

CVE-2024-10963

CVE Details

Visit the official vulnerability details page for CVE-2024-10963 to learn more.

Initial Publication

11/10/2024

Last Update

12/16/2024

Third Party Dependency

libpam-modules

NIST CVE Summary

A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.

CVE Severity

7.4

Our Official Summary

This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations.

This is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/11/2024Official summary revised: This vulnerability in pam_access allows hostname spoofing to bypass restrictions intended for specific local TTYs or services This enables attackers with minimal effort to exploit gaps in security policies that rely on access.conf configurations. This is reported on a few of the third party images which do not use pam_access. So risk of exploitation is low. Impact of exploit is also low, since these containers present a minimal attack surface.
11/15/2024Impacted versions changed from 4.5.8, 4.4.20, 4.5.10 to 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.8, 4.4.20 to 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.8 to 4.5.8, 4.4.20