CVE-2000-0378 describes a vulnerability in the pam_console PAM (Pluggable Authentication Module) module used in certain Linux systems, specifically versions 6.0, 6.1, and 6.2. The pam_console module is designed to manage device ownership dynamically by performing a chown (change ownership) operation on various device files when a user logs in. This mechanism is intended to grant the logged-in user appropriate access to devices such as terminals, audio devices, or other peripherals. However, the vulnerability arises because the module does not properly close or revoke open file descriptors to these devices upon user logout. Consequently, a user who had previously logged in can retain an open file descriptor to these devices even after logging out. This lingering access allows the user to potentially sniff or monitor activity on these devices during subsequent user sessions. The vulnerability impacts confidentiality, integrity, and availability since unauthorized users can eavesdrop on device activity, potentially intercept sensitive data, or interfere with device operations. The CVSS score of 7.2 (high severity) reflects the vulnerability's significant impact, with an attack vector classified as local (AV:L), low attack complexity (AC:L), no authentication required (Au:N), and full impact on confidentiality, integrity, and availability (C:C/I:C/A:C). No patches are available for this vulnerability, and no known exploits have been reported in the wild. The affected Linux versions are relatively old, but systems still running these versions or similar PAM configurations remain at risk. The vulnerability is rooted in the design and implementation of the pam_console module and its handling of device ownership and session management.

For European organizations, the primary impact of this vulnerability lies in the potential for insider threats or local attackers to gain unauthorized access to device data streams. Organizations that rely on Linux systems with the affected PAM module versions—particularly in environments where multiple users share the same physical machines or terminals—may face risks of sensitive information leakage, such as keystrokes, audio streams, or other device interactions. This could compromise user credentials, confidential communications, or operational data. Critical infrastructure sectors, research institutions, and enterprises with shared Linux workstations are especially vulnerable to such attacks. The vulnerability undermines trust in session isolation and device access controls, potentially leading to data breaches or operational disruptions. Although exploitation requires local access, the ease of maintaining open file descriptors post-logout increases the attack surface for malicious insiders or compromised accounts. Given the age of the affected versions, the impact today is limited to legacy systems or specialized environments that have not been updated or hardened. However, in such contexts, the vulnerability could facilitate lateral movement or privilege escalation, amplifying its impact.

Since no official patches are available for this vulnerability, organizations should implement compensating controls. First, upgrade Linux systems to supported versions where pam_console is either fixed or replaced by more secure PAM modules. If upgrading is not immediately feasible, disable the pam_console module to prevent its insecure device ownership changes. Implement strict session management policies to ensure that all user sessions and associated file descriptors are properly terminated upon logout. Employ monitoring tools to detect unusual device access patterns or lingering open file descriptors. Restrict physical and local access to critical Linux systems to trusted personnel only, reducing the risk of local exploitation. Additionally, consider using mandatory access control frameworks like SELinux or AppArmor to enforce fine-grained device access policies that can mitigate unauthorized device sniffing. Regularly audit user sessions and device permissions to identify and remediate potential misuse. Finally, educate system administrators and users about the risks of shared device access and the importance of proper session termination.