AuthLite Security Advisory #11
Summary:
- If you are using pam_authlite module version 2.3.34.1 on Linux, please update immediately and contact us to mitigate a possible local information disclosure (more info below). No other version is affected.
- If you are using our older Linux plugin that uses pam_python and auth.py, please update at your next convenience to the new supported system (more info below).
Issue #11.1 Information Disclosure:
There is an information disclosure bug in the Linux module pam_authlite version 2.3.34.1. As far as we know, there aren't any customers using this version (it contained a bug preventing it from working correctly and there were not any support requests logged about it). However, this code version was available for download on our web site between December 27, 2020 and the end of January 2021, so we are notifying everyone just in case it was deployed anywhere.
If you downloaded the file pam_authlite-2.3.34.1.tar.gz, built, and installed it, then please open a support request at https://tix.authlite.com. We will assist you to upgrade and mitigate a potential local information disclosure, where privileged information could be accessed by other users logged into the same machine.
Issue #11.2 pam_python Unsupported:
Prior to 2021, all our Linux plugin support for AuthLite used the third-party module "pam_python", which relies on a now unsupported version of Python, and does not look to be updated regularly any longer.
Therefore, we have migrated away from this solution entirely, and made our own stand-alone module "pam_authlite" which does not rely on python or third party pam modules. To update:
- Debian-like: Stop using the pam_python solution by removing the file "authlite" from the folder "/usr/share/pam-configs", and then running "sudo pam-auth-update". Verify that "pam_python.so" lines no longer appear in any files in your /etc/pam.d folder.
- Redhat/CentOS-like: Stop using the pam_python solution by removing any "pam_python.so" lines from files in your /etc/pam.d folder.
- Follow instructions at https://AuthLite.com/Linux to build and install the new module.
If you have questions about this advisory, please create a support ticket, and we will be happy to help.