Miggo Logo
Miggo Vulnerability Database
CVE-2016-3176

CVE-2016-3176: Salt Insecure configuration of PAM external authentication service

5.6

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3176
GHSA ID
GHSA-v2rp-9cpj-pfw2
EPSS Score
0.38558%
CWE
CWE-287
Published
5/17/2022
Updated
10/21/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
saltpip< 2015.5.102015.5.10
saltpip>= 2015.8, < 2015.8.82015.8.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of the PAM service name during authentication. When PAM external auth is enabled, Salt's authentication mechanism should enforce the use of a pre-configured service name. The PAMAuth.authenticate function would be responsible for handling authentication requests, and if it accepted a client-specified 'service' parameter without checking against the configured value, this would allow service substitution. This matches the CWE-287 (Improper Authentication) pattern where client-controlled input directly influences authentication mechanisms without proper validation. The confidence is high because this is the logical location for PAM authentication handling and the vulnerability description explicitly mentions client-specified service parameters as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*lt ***or* ****.*.** *n* ****.*.x ***or* ****.*.*, w**n P*M *xt*rn*l *ut**nti**tion is *n**l**, *llows *tt**k*rs to *yp*ss t** *on*i*ur** *ut**nti**tion s*rvi** *y p*ssin* *n *lt*rn*t* s*rvi** wit* * *omm*n* s*nt to Lo**l*li*nt.

Reasoning

T** vuln*r**ility st*ms *rom improp*r `v*li**tion` o* t** P*M s*rvi** n*m* *urin* *ut**nti**tion. W**n P*M *xt*rn*l *ut* is *n**l**, S*lt's *ut**nti**tion m****nism s*oul* *n*or** t** us* o* * pr*-*on*i*ur** s*rvi** n*m*. T** `P*M*ut*.*ut**nti**t*` *