CVE-2022-28321: n/a in n/a
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.
AI Analysis
Technical Summary
CVE-2022-28321 is a critical vulnerability affecting the Linux-PAM package versions prior to 1.5.2-6.1 specifically in the openSUSE Tumbleweed and openSUSE Factory distributions. The vulnerability resides in the pam_access.so module, which is responsible for restricting user logins based on access control rules. The flaw arises because pam_access.so does not correctly enforce restrictions when a user attempts to authenticate via SSH from an IP address that cannot be resolved through DNS. Under these conditions, the module fails to deny access to users who should be blocked, effectively allowing an authentication bypass. This means that a user who is explicitly denied access by the system's access control policies can still gain SSH access if their connecting IP address lacks a resolvable DNS entry. The vulnerability is notable for requiring no privileges or user interaction to exploit, and it impacts confidentiality, integrity, and availability of the affected systems. The issue is limited in scope to openSUSE Tumbleweed and Factory distributions and does not affect the upstream Linux-PAM project or other Linux distributions. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation over the network without authentication and the severe impact on system security. The underlying weakness is classified under CWE-287 (Improper Authentication). No known public exploits have been reported in the wild as of the published date, but the critical nature of the flaw and its presence in rolling-release distributions used by developers and enterprises make it a significant threat. The vulnerability was published on September 19, 2022, and users of affected openSUSE versions should prioritize patching to Linux-PAM 1.5.2-6.1 or later to remediate this issue.
Potential Impact
For European organizations using openSUSE Tumbleweed or Factory, this vulnerability poses a severe risk. Successful exploitation allows unauthorized SSH access, potentially enabling attackers to gain full control over affected systems. This can lead to data breaches, unauthorized data modification, and disruption of services. Since SSH is a common remote administration protocol, the bypass undermines fundamental access controls, increasing the risk of lateral movement within networks and persistence by attackers. Organizations relying on openSUSE for critical infrastructure, development environments, or production servers may face operational disruptions and compliance violations, especially under GDPR regulations concerning unauthorized access and data protection. The vulnerability's impact is heightened in environments where DNS resolution is unreliable or intentionally manipulated, as attackers can exploit non-resolvable IP addresses to bypass restrictions. Given the critical severity and network-exploitable nature, European enterprises should treat this vulnerability as a high-priority security incident.
Mitigation Recommendations
1. Immediate upgrade of the Linux-PAM package to version 1.5.2-6.1 or later on all openSUSE Tumbleweed and Factory systems is the primary mitigation step. 2. Review and tighten SSH access control policies, ensuring that IP-based restrictions do not rely solely on DNS resolution. 3. Implement network-level controls such as firewall rules to restrict SSH access to trusted IP ranges, reducing exposure to untrusted sources. 4. Monitor SSH login attempts and system logs for unusual access patterns, especially from IP addresses that fail DNS resolution. 5. Consider deploying multi-factor authentication (MFA) for SSH access to add an additional layer of security beyond PAM controls. 6. For environments where patching immediately is not feasible, temporarily disable pam_access.so or configure it to avoid reliance on DNS resolution for access decisions, if possible. 7. Educate system administrators about the risks of DNS-dependent access controls and encourage validation of access control modules after updates. 8. Regularly audit and update DNS infrastructure to minimize unresolved IP addresses that could be exploited.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2022-28321: n/a in n/a
Description
The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.
AI-Powered Analysis
Technical Analysis
CVE-2022-28321 is a critical vulnerability affecting the Linux-PAM package versions prior to 1.5.2-6.1 specifically in the openSUSE Tumbleweed and openSUSE Factory distributions. The vulnerability resides in the pam_access.so module, which is responsible for restricting user logins based on access control rules. The flaw arises because pam_access.so does not correctly enforce restrictions when a user attempts to authenticate via SSH from an IP address that cannot be resolved through DNS. Under these conditions, the module fails to deny access to users who should be blocked, effectively allowing an authentication bypass. This means that a user who is explicitly denied access by the system's access control policies can still gain SSH access if their connecting IP address lacks a resolvable DNS entry. The vulnerability is notable for requiring no privileges or user interaction to exploit, and it impacts confidentiality, integrity, and availability of the affected systems. The issue is limited in scope to openSUSE Tumbleweed and Factory distributions and does not affect the upstream Linux-PAM project or other Linux distributions. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation over the network without authentication and the severe impact on system security. The underlying weakness is classified under CWE-287 (Improper Authentication). No known public exploits have been reported in the wild as of the published date, but the critical nature of the flaw and its presence in rolling-release distributions used by developers and enterprises make it a significant threat. The vulnerability was published on September 19, 2022, and users of affected openSUSE versions should prioritize patching to Linux-PAM 1.5.2-6.1 or later to remediate this issue.
Potential Impact
For European organizations using openSUSE Tumbleweed or Factory, this vulnerability poses a severe risk. Successful exploitation allows unauthorized SSH access, potentially enabling attackers to gain full control over affected systems. This can lead to data breaches, unauthorized data modification, and disruption of services. Since SSH is a common remote administration protocol, the bypass undermines fundamental access controls, increasing the risk of lateral movement within networks and persistence by attackers. Organizations relying on openSUSE for critical infrastructure, development environments, or production servers may face operational disruptions and compliance violations, especially under GDPR regulations concerning unauthorized access and data protection. The vulnerability's impact is heightened in environments where DNS resolution is unreliable or intentionally manipulated, as attackers can exploit non-resolvable IP addresses to bypass restrictions. Given the critical severity and network-exploitable nature, European enterprises should treat this vulnerability as a high-priority security incident.
Mitigation Recommendations
1. Immediate upgrade of the Linux-PAM package to version 1.5.2-6.1 or later on all openSUSE Tumbleweed and Factory systems is the primary mitigation step. 2. Review and tighten SSH access control policies, ensuring that IP-based restrictions do not rely solely on DNS resolution. 3. Implement network-level controls such as firewall rules to restrict SSH access to trusted IP ranges, reducing exposure to untrusted sources. 4. Monitor SSH login attempts and system logs for unusual access patterns, especially from IP addresses that fail DNS resolution. 5. Consider deploying multi-factor authentication (MFA) for SSH access to add an additional layer of security beyond PAM controls. 6. For environments where patching immediately is not feasible, temporarily disable pam_access.so or configure it to avoid reliance on DNS resolution for access decisions, if possible. 7. Educate system administrators about the risks of DNS-dependent access controls and encourage validation of access control modules after updates. 8. Regularly audit and update DNS infrastructure to minimize unresolved IP addresses that could be exploited.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-04-01T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683880c6182aa0cae283969b
Added to database: 5/29/2025, 3:44:06 PM
Last enriched: 7/7/2025, 11:24:59 PM
Last updated: 7/26/2025, 1:42:36 AM
Views: 12
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.